Join a PC to a specific OU?

Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Hi,

I have a pure AD Win2k network with some OUs. How can I manually join a
client PC to the domain to a specific OU?

I'm aware of Unattend facilities for this, but how can I do it sitting
at the PC?

--
Gerry Hickman (London UK)
9 answers Last reply
More about join specific
  1. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Hi Gerry

    Netdom.exe (part of the support tools on the CD) can do this from the
    command line. I would recommend that you create a dedicated user for this
    and use the delegation of control wizard to allow it to create and delete
    computer objects in the specific OUs you want.

    Hope this helps

    Oli


    "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
    news:u0GoQdePEHA.680@TK2MSFTNGP11.phx.gbl...
    > Hi,
    >
    > I have a pure AD Win2k network with some OUs. How can I manually join a
    > client PC to the domain to a specific OU?
    >
    > I'm aware of Unattend facilities for this, but how can I do it sitting at
    > the PC?
    >
    > --
    > Gerry Hickman (London UK)
  2. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Oli Restorick [MVP] wrote:

    > Netdom.exe (part of the support tools on the CD) can do this from the
    > command line.

    Right, that does mean it will only work (interactively) on stations with
    netdom installed though.

    I find the lack of an OU field in the GUI very odd, when you think Win2k
    was designed to work with AD. Even more strange is that (apparently) XP
    does not have this facility either.

    > I would recommend that you create a dedicated user for this
    > and use the delegation of control wizard to allow it to create and delete
    > computer objects in the specific OUs you want.

    This sounds good. At present I have a domain admin account but strangely
    if I unjoin a workstation it refuses to delete the computer account in
    AD. If I go to "Active Directory Users and Computers" on the Admin
    station it lets me delete it without a problem.

    --
    Gerry Hickman (London UK)
  3. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
    news:O04weFqPEHA.4036@TK2MSFTNGP12.phx.gbl...
    > Right, that does mean it will only work (interactively) on stations with
    > netdom installed though.
    Yes. Since I'm doing the domain join as part of an unattended build, I just
    include the netdom.exe file as part of the build. If you're looking for a
    way to add machines that have already been built to a specific OU, then I'm
    not sure.

    What you're really looking for is a way to specify in Active Directory which
    should be the default container/OU to add machines to. It's probably
    possible to do that. Perhaps one of the Directory Services guys might
    know -- a repost in microsoft.public.windows.server.active_directory might
    do the trick.

    It would be really cool if you could somehow use a WMI filter specified
    using AD that could determine the correct default OU for a machine.

    > I find the lack of an OU field in the GUI very odd, when you think Win2k
    > was designed to work with AD. Even more strange is that (apparently) XP
    > does not have this facility either.
    I think most people would find it confusing, to be honest. Most people
    would not get the LDAP path correct if you had to type it by hand. To
    provide a browse button, you'd need to authenticate against AD first.

    While most small businesses I know will go to the keyboard of the machine to
    do a domain join, bigger companies are more likely to create the machine
    account in the correct OU and then let the end user do the domain join
    themselves. Then again, the default of allowing 10 domain joins per user
    doesn't tie up with this, as it doesn't have any administrative involvement.
    You really don't want people dumping new machines into your computers
    container.

    As you've probably realised, you can't apply a GPO to the computers
    container (because it's a container). So, if you want a GPO to apply here,
    you have to apply it at the site or domain level, at which point it's going
    to get applied to your servers and probably several other machines you don't
    want to hit.

    Regards

    Oli
  4. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    See http://support.microsoft.com/default.aspx?kbid=324949

    A new feature in Windows 2003 is you can redirect the Computers container to
    an OU. It doesn't give you the flexibillity to put the computers into
    different OUs but at least you can add the computer to an OU which has the
    appropriate GPOs applied, rather than having to worry about applying and
    fitlering GPOs at the domain level.

    We don't use this though - all our PCs are added through RIS and we use
    menus to choose which OU to add them into.

    "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
    news:O4#hdDAQEHA.1160@TK2MSFTNGP09.phx.gbl...
    >
    > "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
    > news:O04weFqPEHA.4036@TK2MSFTNGP12.phx.gbl...
    > > Right, that does mean it will only work (interactively) on stations with
    > > netdom installed though.
    > Yes. Since I'm doing the domain join as part of an unattended build, I
    just
    > include the netdom.exe file as part of the build. If you're looking for a
    > way to add machines that have already been built to a specific OU, then
    I'm
    > not sure.
    >
    > What you're really looking for is a way to specify in Active Directory
    which
    > should be the default container/OU to add machines to. It's probably
    > possible to do that. Perhaps one of the Directory Services guys might
    > know -- a repost in microsoft.public.windows.server.active_directory might
    > do the trick.
    >
    > It would be really cool if you could somehow use a WMI filter specified
    > using AD that could determine the correct default OU for a machine.
    >
    > > I find the lack of an OU field in the GUI very odd, when you think Win2k
    > > was designed to work with AD. Even more strange is that (apparently) XP
    > > does not have this facility either.
    > I think most people would find it confusing, to be honest. Most people
    > would not get the LDAP path correct if you had to type it by hand. To
    > provide a browse button, you'd need to authenticate against AD first.
    >
    > While most small businesses I know will go to the keyboard of the machine
    to
    > do a domain join, bigger companies are more likely to create the machine
    > account in the correct OU and then let the end user do the domain join
    > themselves. Then again, the default of allowing 10 domain joins per user
    > doesn't tie up with this, as it doesn't have any administrative
    involvement.
    > You really don't want people dumping new machines into your computers
    > container.
    >
    > As you've probably realised, you can't apply a GPO to the computers
    > container (because it's a container). So, if you want a GPO to apply
    here,
    > you have to apply it at the site or domain level, at which point it's
    going
    > to get applied to your servers and probably several other machines you
    don't
    > want to hit.
    >
    > Regards
    >
    > Oli
    >
    >
  5. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Thanks very much for the info, Brendon.

    Oli


    "Brendon Rogers" <brendon@nospam-itology.net> wrote in message
    news:ubsaAyLQEHA.1392@TK2MSFTNGP09.phx.gbl...
    > See http://support.microsoft.com/default.aspx?kbid=324949
    >
    > A new feature in Windows 2003 is you can redirect the Computers container
    > to
    > an OU. It doesn't give you the flexibillity to put the computers into
    > different OUs but at least you can add the computer to an OU which has the
    > appropriate GPOs applied, rather than having to worry about applying and
    > fitlering GPOs at the domain level.
    >
    > We don't use this though - all our PCs are added through RIS and we use
    > menus to choose which OU to add them into.
    >
    > "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
    > news:O4#hdDAQEHA.1160@TK2MSFTNGP09.phx.gbl...
    >>
    >> "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
    >> news:O04weFqPEHA.4036@TK2MSFTNGP12.phx.gbl...
    >> > Right, that does mean it will only work (interactively) on stations
    >> > with
    >> > netdom installed though.
    >> Yes. Since I'm doing the domain join as part of an unattended build, I
    > just
    >> include the netdom.exe file as part of the build. If you're looking for
    >> a
    >> way to add machines that have already been built to a specific OU, then
    > I'm
    >> not sure.
    >>
    >> What you're really looking for is a way to specify in Active Directory
    > which
    >> should be the default container/OU to add machines to. It's probably
    >> possible to do that. Perhaps one of the Directory Services guys might
    >> know -- a repost in microsoft.public.windows.server.active_directory
    >> might
    >> do the trick.
    >>
    >> It would be really cool if you could somehow use a WMI filter specified
    >> using AD that could determine the correct default OU for a machine.
    >>
    >> > I find the lack of an OU field in the GUI very odd, when you think
    >> > Win2k
    >> > was designed to work with AD. Even more strange is that (apparently) XP
    >> > does not have this facility either.
    >> I think most people would find it confusing, to be honest. Most people
    >> would not get the LDAP path correct if you had to type it by hand. To
    >> provide a browse button, you'd need to authenticate against AD first.
    >>
    >> While most small businesses I know will go to the keyboard of the machine
    > to
    >> do a domain join, bigger companies are more likely to create the machine
    >> account in the correct OU and then let the end user do the domain join
    >> themselves. Then again, the default of allowing 10 domain joins per user
    >> doesn't tie up with this, as it doesn't have any administrative
    > involvement.
    >> You really don't want people dumping new machines into your computers
    >> container.
    >>
    >> As you've probably realised, you can't apply a GPO to the computers
    >> container (because it's a container). So, if you want a GPO to apply
    > here,
    >> you have to apply it at the site or domain level, at which point it's
    > going
    >> to get applied to your servers and probably several other machines you
    > don't
    >> want to hit.
    >>
    >> Regards
    >>
    >> Oli
    >>
    >>
    >
    >
  6. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Hi Oli,

    > What you're really looking for is a way to specify in Active Directory which
    > should be the default container/OU to add machines to.

    No, the way I see it is that there should be a third box called "OU"
    that you can fill in when joining a computer to a domain.

    > It would be really cool if you could somehow use a WMI filter specified
    > using AD that could determine the correct default OU for a machine.

    But I'm joining it manually, and I know where I want to put it!

    >>I find the lack of an OU field in the GUI very odd,

    > I think most people would find it confusing, to be honest.

    But surely most people who have been assigned the task of joining
    computers are capable of such things? If they're not, they could just
    leave the field blank and it would join to the root.

    > Most people
    > would not get the LDAP path correct if you had to type it by hand. To
    > provide a browse button, you'd need to authenticate against AD first.

    I do understand what you're saying here. I was thinking most enterprises
    would have their ou's directly below their root - this would only
    require one word in a text box e.g.

    Domain_Root
    - OU1
    - OU2

    It's not hard to type "OU2" if you want to join to the second OU? As you
    say though, an LDAP string would more complicated, but it's still not
    rocket science - they can leave the box blank if they want.

    Actually the more I look at this, the more I'm wishing I'd kept a
    separate "resource" domain. When we did our Win2k migration we disolved
    all the child domains and put the AD in head office (using OUs instead).
    Trouble is, there's a few things cropping up now that don't work too
    well with OUs.

    1. Policies - head office say we can't "block" theirs even if they conflict
    2. Software - lots of software can operate on "domains" but not on "OUs"
    3. Joining - as above you really need to be a domain admin for the whole
    thing
    4. Network browsing (Entire Network) is still "flat file", the fact the
    PCs are in different OUs doesn't help. When they were in domains they
    each had their own subtree.

    --
    Gerry Hickman (London UK)
  7. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
    news:%23b8wyZpQEHA.644@tk2msftngp13.phx.gbl...
    > But surely most people who have been assigned the task of joining
    > computers are capable of such things? If they're not, they could just
    > leave the field blank and it would join to the root.
    Much of the GUI in Windows is aimed at the lowest common denominator and is
    designed to be easy to learn. If you want to do something a little more
    adventurous, scripting is the way to go (although it would be nice if
    netdom.exe was part of the defaul installation).

    > I do understand what you're saying here. I was thinking most enterprises
    > would have their ou's directly below their root
    I don't!

    I think an extra box would have been useful, but it's not there, so we just
    have to live with that.

    > 1. Policies - head office say we can't "block" theirs even if they
    > conflict
    Yep.
    > 2. Software - lots of software can operate on "domains" but not on "OUs"
    Can you clarify. I don't get what you mean here.

    > 3. Joining - as above you really need to be a domain admin for the whole
    > thing
    Aaaaagh! Why do you need to be a domain admin? I administer my whole
    network without needing to log in as a domain admin. My regular work
    account is not a domain admin. I don't log in to member servers with a
    domain admin account and I sure as hell don't join workstations to the
    domain using a domain admin account!

    > 4. Network browsing (Entire Network) is still "flat file", the fact the
    > PCs are in different OUs doesn't help. When they were in domains they each
    > had their own subtree.
    The computer browser service is turned off on every machine in my domain, so
    I don't have that issue.

    Start | Run | \\machinename works great!

    Regards

    Oli
  8. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    "Oli Restorick [MVP]" <oli@mvps.org> wrote in
    news:O9aAGJqQEHA.3708@TK2MSFTNGP10.phx.gbl:

    >
    > "Gerry Hickman" <gerry666uk@yahoo.co.uk> wrote in message
    > news:%23b8wyZpQEHA.644@tk2msftngp13.phx.gbl...
    >> But surely most people who have been assigned the task of joining
    >> computers are capable of such things? If they're not, they could just
    >> leave the field blank and it would join to the root.
    > Much of the GUI in Windows is aimed at the lowest common denominator
    > and is designed to be easy to learn. If you want to do something a
    > little more adventurous, scripting is the way to go (although it would
    > be nice if netdom.exe was part of the defaul installation).
    >
    >> I do understand what you're saying here. I was thinking most
    >> enterprises would have their ou's directly below their root
    > I don't!
    >
    > I think an extra box would have been useful, but it's not there, so we
    > just have to live with that.
    >
    >> 1. Policies - head office say we can't "block" theirs even if they
    >> conflict
    > Yep.
    >> 2. Software - lots of software can operate on "domains" but not on
    >> "OUs"
    > Can you clarify. I don't get what you mean here.
    >
    >> 3. Joining - as above you really need to be a domain admin for the
    >> whole thing
    > Aaaaagh! Why do you need to be a domain admin? I administer my whole
    > network without needing to log in as a domain admin. My regular work
    > account is not a domain admin. I don't log in to member servers with
    > a domain admin account and I sure as hell don't join workstations to
    > the domain using a domain admin account!
    >
    >> 4. Network browsing (Entire Network) is still "flat file", the fact
    >> the PCs are in different OUs doesn't help. When they were in domains
    >> they each had their own subtree.
    > The computer browser service is turned off on every machine in my
    > domain, so I don't have that issue.
    >
    > Start | Run | \\machinename works great!
    >
    > Regards
    >
    > Oli
    >
    >
    >
    >
    >

    There is a way for you to enter computers to a spacific ou but it has to
    be done when you first log in at the text mode. There is a file on the
    server you must configure. Choice.OSC

    If you removed these entries on the RIS then you will get more options
    and one of them is to name the computer and to choose which OU the
    computer must reside in.

    <meta server action="DNRESET">
    <meta server action="FILTER CHOICE">


    Regards.
  9. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Oli Restorick [MVP] wrote:

    > Much of the GUI in Windows is aimed at the lowest common denominator and is
    > designed to be easy to learn. If you want to do something a little more
    > adventurous, scripting is the way to go (although it would be nice if
    > netdom.exe was part of the defaul installation).

    In most scenarios this is fine, however certain dialogs can only be
    seen/changed when an administrator is logged in and I see no reason
    these dialogs would need to be over simplistic.

    >>I do understand what you're saying here. I was thinking most enterprises
    >>would have their ou's directly below their root
    >
    > I don't!

    So what do you have before the OUs in your tree?

    >>2. Software - lots of software can operate on "domains" but not on "OUs"
    >
    > Can you clarify. I don't get what you mean here.

    e.g. Anti-Virus software, SMS 2.0. It's got things like install/monitor
    whole domain x, domain y, but it doesn't allow you to only install to
    ou1, ou2 etc. Probably the same in things like HFNetchkPro. If ou1 wants
    to use SUS and ou2 wants to use Shavlik, this could be an issue.

    > Aaaaagh! Why do you need to be a domain admin? I administer my whole
    > network without needing to log in as a domain admin. My regular work
    > account is not a domain admin. I don't log in to member servers with a
    > domain admin account and I sure as hell don't join workstations to the
    > domain using a domain admin account!

    My regular work account is a user account. I think people are idiots
    that check their email logged in as domain admin! I also don't log into
    member servers as domain admin. I don't put domain admin passwords in
    scripts etc. The only time I use it is for joining/unjoining machines.
    I'm not allowed to create new accounts on the domain and some user
    accoutns can only join 10 machines before croaking, so I'm not sure the
    correct way to do this. I also need to delete the old account when
    unjoining and I thought I needed admin rights to do that? I'm not a
    local admin on any of the DCs, and am not allowed access to the DCs.

    >>4. Network browsing

    > The computer browser service is turned off on every machine in my domain, so
    > I don't have that issue.

    Hehe, that's one way of solving it!

    > Start | Run | \\machinename works great!

    It's not great when you don't know the machine name.

    --
    Gerry Hickman (London UK)
Ask a new question

Read More

Domain Microsoft Windows