none
Looking for some clear info on AD and OU RRS feed

  • Question

  • My group creates computer names in AD in our policy-free OU (we also assign a group to the pc's so all of us can manage them in AD). Once the pc is in that specific OU, we can deploy an image w/o AD getting in the way. Immediately after, we move it elsewhere, depending on where it's going.

    Besides knowing that MDT can move a pc afterwards, I'm confused between writing any TS step to move the pc, vs what can be in a CS.INI. What is the purpose of this below, which I found in a CS example:

    JoinDomain=our doman
    DomainAdmin=domain full-admin user
    DomainAdminDomain=domain of user
    DomainAdminPassword = password of user
    MachineObjectOU=OU=name of OU in AD

    The last line, MachineObjectOU....  what is that exactly? Is that supposed to imply that when my machine joins the domain, that is the OU it will go to? What if a user has already created that pc name in another OU, which we do?

    My bottom question is...can, in CS.INI, specify "WHERE" I want a pc to be when it boots up from MDT? Even if it exists elsewhere, I'd like it in one specific OU. All machines. I don't need MDT to 'create and add' a computer. Every pc we clone already exists in AD ahead of time.

    I will add that this verbiage above is already in my CS. Our computers do join to our domain but they do so in the OU they are already in, so I'm not sure about the intent of that last line (perhaps the syntax is wrong if this is a correct line in a CS).

     




    Saturday, October 21, 2017 8:31 PM

Answers

  • If cloning = deploying, then yes. If an object does not exist in AD, it will be created in the OU you specify. To add an AD group to local group, you could use Add-LocalGroupMember cmdlet (does that answer your second question or did I misunderstand it?).

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    • Marked as answer by the1rickster Monday, October 23, 2017 1:03 PM
    Sunday, October 22, 2017 10:08 AM

All replies

  • MDT does not move computer objects. You could however extend basic MDT functionality to perform the feat: https://deploymentresearch.com/Research/Post/562/Moving-Computers-to-another-OU-during-deployment-Webservice-style
    FYI, the MachineObjectOU property plays a role if (and only if) the computer object does not already exist in AD.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Saturday, October 21, 2017 9:11 PM
  • I did read the site about Webservice. I'm not so concerned about moving a pc after cloning, but so it ends up in the right group just out of cloning.

    So you're saying that if I hadn't already created a computer name in AD, then MDT would add a name I choose during the wizard and add it to the OU I state in my CS?

    One question about that...when we add new pc's to AD, we assign a group to the name. The group contains all of the support techs who need to move machines around later on for whatever reason. Is there a way to add that group to the pc while it joins the domain? I wonder is there's another line in the CS that would do that. The group is just us as admins who have permissions to move them around.

    Sunday, October 22, 2017 2:42 AM
  • If cloning = deploying, then yes. If an object does not exist in AD, it will be created in the OU you specify. To add an AD group to local group, you could use Add-LocalGroupMember cmdlet (does that answer your second question or did I misunderstand it?).

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    • Marked as answer by the1rickster Monday, October 23, 2017 1:03 PM
    Sunday, October 22, 2017 10:08 AM
  • I thought I was delving into more than I knew! Well, when we create computer names in our AD, we change the Default: Domain Admins user or group (where it says 'The following user or group can join this computer to a domain'). We change that to a domain group we all belong to.
    If MDT can join a computer to the domain where the name did not already exist, that's great but the computer name must also have that group added to it like we do manually.
    I do know that if I type a computer name in the Deploy Wizard and that name does not yet exist in AD, the pc will do its 4x reboot and then Succeed with the warning that it failed to attempt to join four times. So....there's that as well.
    So far, it all only works if the pc is already in AD.
    Sunday, October 22, 2017 5:47 PM
  • This is probably because by default your user account does not have permissions to create computer objects in your AD.

    You could, for example, talk to your AD team to provision a locked down service account which sole purpose is to join computers to domain those rendering the requirement to add a user group to computer object pointless.


    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Sunday, October 22, 2017 6:00 PM
  • For sure. I already have an account which can join machines to the domain. Provided, it seems, that they already exist in AD. I may check into the permissions of that account to see whether it can 'create' accounts as well. If that happens, I will still need to figure out how to automate adding a specific group to those pc's. It's the security group we all belong to so we all can move those machines around in AD.
    Monday, October 23, 2017 1:02 PM