none
Add new computer domain to specific group

    Question

  • Hello all,

    I am looking a way to put new computer domain machine to a specific group member when born.

    So, I think the idea is: When the machine entering in the domain, that machine receives member of the group that I need.

    Is this possible? I am afraid that some machines will not be member that group if we need to do it manually.

    thanks,

    Diego

    Tuesday, June 02, 2015 1:02 PM

Answers

  • You can do that with GPO "restricted group" and redirecting the default computer container:

    Redirecting the users and computers containers in Active Directory domains

    1. Log on with Domain Administrator credentials in the domain where the CN=computers container is being redirected.
    2. Transition the domain to the Windows Server 2003 domain in the Active Directory Users and Computers snap-in (Dsa.msc) or in the Domains and Trusts (Domains.msc) snap-in. For more information about increasing the domain functional level, click the following article number to view the article in the Microsoft Knowledge Base:
      322692 How to raise domain and forest functional levels in Windows Server 2003
    3. Create the organizational unit container where you want computers that are created with earlier-version APIs to be located, if the desired organizational unit container does not already exist.
    4. Run the Redircmp.exe file at a command prompt by using the following syntax, where <var style="box-sizing:border-box;margin:0px;padding:0px;">container-dn</var> is the distinguished name of the organizational unit that will become the default location for newly created computer objects that are created by down-level APIs:
      redircmp <var style="box-sizing:border-box;margin:0px;padding:0px;">container-dn </var>container-dn
      Redircmp.exe is installed in the %Systemroot%\System32 folder on Windows Server 2003-based or newer computers. For example, to change the default location for a computer that is created with earlier-version APIs such as Net User to the OU=mycomputers container in the CONTOSO.COM domain, use the following syntax:
      C:\windows\system32>redircmp ou=mycomputers,DC=contoso,dc=com
      Note When Redircmp.exe is run to redirect the CN=Computers container to an organizational unit that is specified by an administrator, the CN=Computers container will no longer be a protected object. This means that the Computers container can now be moved, deleted, or renamed. If you use ADSIEDIT to view attributes on the CN=Computers container, you will see that the systemflags attribute was changed from -1946157056 to 0. This is by design

    Description of Group Policy Restricted Groups


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Tuesday, June 02, 2015 1:08 PM
  • I think you are looking for something like this:

    http://deployhappiness.com/shadow-groups-security-active-directory/

    I use the method above to automatically put computers (or users) into certain groups based on names, OU location, OS, etc.



    If my answer helped you, check out my blog: Deploy Happiness

    Tuesday, June 02, 2015 1:21 PM

All replies

  • You can do that with GPO "restricted group" and redirecting the default computer container:

    Redirecting the users and computers containers in Active Directory domains

    1. Log on with Domain Administrator credentials in the domain where the CN=computers container is being redirected.
    2. Transition the domain to the Windows Server 2003 domain in the Active Directory Users and Computers snap-in (Dsa.msc) or in the Domains and Trusts (Domains.msc) snap-in. For more information about increasing the domain functional level, click the following article number to view the article in the Microsoft Knowledge Base:
      322692 How to raise domain and forest functional levels in Windows Server 2003
    3. Create the organizational unit container where you want computers that are created with earlier-version APIs to be located, if the desired organizational unit container does not already exist.
    4. Run the Redircmp.exe file at a command prompt by using the following syntax, where <var style="box-sizing:border-box;margin:0px;padding:0px;">container-dn</var> is the distinguished name of the organizational unit that will become the default location for newly created computer objects that are created by down-level APIs:
      redircmp <var style="box-sizing:border-box;margin:0px;padding:0px;">container-dn </var>container-dn
      Redircmp.exe is installed in the %Systemroot%\System32 folder on Windows Server 2003-based or newer computers. For example, to change the default location for a computer that is created with earlier-version APIs such as Net User to the OU=mycomputers container in the CONTOSO.COM domain, use the following syntax:
      C:\windows\system32>redircmp ou=mycomputers,DC=contoso,dc=com
      Note When Redircmp.exe is run to redirect the CN=Computers container to an organizational unit that is specified by an administrator, the CN=Computers container will no longer be a protected object. This means that the Computers container can now be moved, deleted, or renamed. If you use ADSIEDIT to view attributes on the CN=Computers container, you will see that the systemflags attribute was changed from -1946157056 to 0. This is by design

    Description of Group Policy Restricted Groups


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Tuesday, June 02, 2015 1:08 PM
  • I think you are looking for something like this:

    http://deployhappiness.com/shadow-groups-security-active-directory/

    I use the method above to automatically put computers (or users) into certain groups based on names, OU location, OS, etc.



    If my answer helped you, check out my blog: Deploy Happiness

    Tuesday, June 02, 2015 1:21 PM