Vista - GPO Logon Script that requires AD rights

Hello all, and thank you in advance for taking the time to read this
and to share any thoughts/comments.

I am currently helping an organization restructure their domain.
Currently all computer accounts (~500) are grouped together in one OU
in AD. Management of most things are currently being done manually.
Fortunately, they have maintained an OU structure for users that is
based on their department.

What I need to do is organize the Computer accounts so that I can then
begin establishing managed software installations, etc.

Preferring not to do this by hand, I whipped up a quick vbs script
that when ran, grabs the Adspath information for the current user and
drops it into an array. The section of the array that has the user's
departmental OU (ie. "Sales") is then set to a variable and the "ou="
part of the string is stripped. The workstation name is then grabbed
and finally a function called that will move the computer account to a
matching computer OU (ie. Computers\Sales) for that user's department.

Everything works perfectly and I was happy it went so smoothly. I went
to go deploy the script via GPO for testing when I suddenly realized
this login script would do me no good since the users certainly don't
have the kind of rights required to manipulate AD like that.

Any ideas on how I might be able to salvage this script/idea? I can't
set it as a startup script, because there is currently no logged in
user during execution. I haven't checked, but I'm sure there's a "last
username logged in" sort of property I could query and use it that way
as a plan B, but I'd prefer to have it work appropriately the first
login, rather than 2nd.

Thank you kindly once again!

On Aug 13, 6:00*pm, Tranquil-IT <brandan.cr...@xxxxxx> wrote:You could try steel run as to run the script with admin rights
http://www.steelsonic.com/steelrunas.htm

"Tranquil-IT" <brandan.creed@xxxxxx> wrote in message
news:1a038415-f99a-4f70-ad1e-868444e06035@xxxxxxI'm glad you are not considering granting your users AD admin privs on all
of the OU's involved... ;-)

What I'd suggest is that you modify your script so that it does not attempt
to move the computer, but just records the move that should take place.
You'd then run another script from a privileged account that would process
all of the information collected and do the required moves.

You could store the computer name and destination OU in a text or csv file.
Alternately you could generate this information in the format of a call to
the function you wrote that does the move. You would then create a vbscript
that included the function and all of the generated function calls - after
verifying, of course, that nobody figured out what you were doing and
generated some alternate vbscript code for you to run as an admin ...

A few issues to consider:

- if your users are mobile, some might logon to computers that do not
actually belong to their part of the organization.

- your function might do the moves conditional on the account still being in
the original OU.

- if a computer is never logged into, does this mean it is just sitting
somewhere? on- or off-line? or was it stolen?

- At some point you will likely need to verify or reconcile the automated
results against whatever inventory system might be involved.

good luck.

/Al

"Tranquil-IT" <brandan.creed@xxxxxx> wrote in message
news:1a038415-f99a-4f70-ad1e-868444e06035@xxxxxxThere are a couple of potential problems with your approach:

1. As you've noted, users won't have permissions to move the objects in AD.
2. You depend on a "correct" user logging into the computer, someone in the
correct OU.
3. The script will run repeatedly, everytime someone logs on.

Hard coding credentials is not a good idea, and doesn't address all of my
concerns above. I prefer doing things like this in bulk remotely. Then you
know it is done once per computer and the objects are moved where you
expect. The key here is knowing which OU to use for each computer. If you
can't document this, say in a spreadsheet, perhaps you can use a logon
script to log user and computer names to a shared log file. I have an
example VBScript program that logs information like this linked here:

http://www.rlmueller.net/Logon5.htm

The example, Logon5.vbs, logs the NT names (pre-Windows 2000 logon names) of
the user and computer. You will want the Distinguished Names (DN's) instead,
so instead of the lines:
=========
strUserName = objNetwork.UserName
strComputerName = objNetwork.ComputerName
=========
I would suggest:
========
Dim objSysInfo
Set objSysInfo = CreateObject("ADSystemInfo")
strUserName = objSysInfo.UserName
strComputerName = objSysInfo.ComputerName
=========
You can skip the part of this example that retrieves the IP address, unless
that will help you. After awhile the shared log file will document which
users log into which computers. If this doesn't give you enough information
to decide where each computer object should be moved, then certainly doing
the moves in logon scripts wouldn't work well.

From the shared log file you can create a spreadsheet with the Distinguished
Names of each computer and the Distinguished Name of the OU they should be
moved into. You can sort the raw spreadsheet by computer DN, then select the
best user DN for each computer. Spreadsheet functions should be able to
strip off the common name of the user in the DN. The final spreadsheet
should have one row for each computer, with one column for the DN of the
computer and another for the DN of the target OU. Then you can code a
VBScript program to read the values from the final spreadsheet, bind to each
OU, and use the MoveHere method to move the computer objects into the
correct OU's. Does this sound feasible to you? I can post an example
VBScript program that reads computer and OU DN's from a spreadsheet and
moves the objects.

Also, once you have decided on the OU of the "correct" user for each
computer, you can also do a global find and replace in a spreadsheet to
place the computer objects in a different OU from the users.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxx> wrote in
message news:OQ1y$XHHKHA.1380@xxxxxxWait a minute! What if there is a one-to-one relationship between the OUs
that the computers should be in and the AD subnet or site where the computer
is connected to their network? That is how our network is structured,
however, it might not be the case here.

But if it *is* the case, I'm sure you'd know at least a couple of ways to
determine the subnet/site of each computer...

/Al