Automated object placement using AutoAD

Shaun Vermaak

COG Lead Engineer

CERTIFIED EXPERT

My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.

Published: 2017-08-29

Implementation

1) Computer Description Update Process

a) Delegation

To be able to update computer descriptions you need to delegate rights.

Add the following permissions to Active Directory either to the root of the domain or any other Organizational Unit. You would add it to an Organizational Unit if you only want to use this process for some computers

b) Powershell Script

Below is the Powershell script used to update the computer description.

It is important to note that you should not change the format of the message if you are planning to use my automated object placement process.

This script will be used within a group policy in step c

try
    {
        # Get current user name
        $strUserName = $env:username;

        # Get current computer name
        $strComputerName = $env:computername;

        $objADSystemInfo = New-Object -ComObject ADSystemInfo;
        $objType = $objADSystemInfo.GetType();

        # Get current site name
        $strSiteName = $objType.InvokeMember('SiteName', 'GetProperty', $null, $objADSystemInfo, $null);

        # Get current date and time
        $strLogonDate = Get-Date -Format "dd-MM-yyyy HH:mm:ss";

        # Build message
        $strMessage = "$($strUserName) logged in on $($strLogonDate) at $($strSiteName) site";

        # Get computer object from Active Directory
        $strFilter = "(&(objectCategory=Computer)(name=$strComputerName))"
        $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
        $objSearcher.Filter = $strFilter
        $objPath = $objSearcher.FindOne()
        $objComputer = $objPath.GetDirectoryEntry()

        # Update computer object description with message in Active Directory
        $objComputer.InvokeSet("Description", $strMessage)
        $objComputer.CommitChanges()
    }
catch
    {
        throw
    }

c) Group Policy Object

Create a GPO and link it to the root of a domain or Organizational Unit used in step a.

Add the PowerShell script from step b as a User Logon script

d) Result

After these steps, notice how the computer descriptions are automatically populated once the users log on to their computers

2) AutoAD

a) Download and extract AutoAD.zip (here is VirusTotal scan) to a folder of your choice on the computer which it will be scheduled to run on.

b) Run Configurator.exe (Configurator Editor).

c) On the Encrypt tab, enter the password for the account that will be performing the automated placement task. Encrypt it with key 2xCJvezFBYWQPBeHy7USdajK55M8skww and record encrypted password

d) On the Settings tab, enter the domain information, connection user name and the encrypted password recorded in step 2c.

Specify which objects AutoAD should create automatically

e) Specify Active Directory information. The format for these are Subnet/Bit Mask|AD Site Name|Computer DN|User DN

Subnet/Bit Mask: The subnet and mask (in bit format) for the specific entry

AD Site: The Active Directory site to which the subnet belongs

Computer DN: The distinguished name of the organizational unit where to move computers to for computer objects in this subnet

User DN: The distinguished name of the organizational unit where to move users to for user objects in this subnet

Please Note: Ensure that you do not allow users/admins to gain any additional permissions by moving users from one container to another. The reason for this is that a user move might be forced to an incorrect OU if descriptions are tampered with.

f) Specify any user DNs that should be skipped

g) Specify any computer DNs that should be skipped

Demo Execution

After implementing ComputerDescriptionUpdate.ps1 notice how computer descriptions are automatically updated

AutoAD.exe output

Sites and subnets automatically created by AutoAD

Organizational Units automatically created by AutoAD

Object placement (example 1)

Object placement (example 2)

Object placement (example 3)

Object placement (example 4)

Conclusion

Using this process will keep Active Directory organized and objects in the correct Organizational Units

Please do not forget to press the "Thumb's Up" button if this article was helpful and valuable for EE members.

It also provides me with positive feedback. Thank you!

$GPOCreateDate = "2022-06-08" $Domain = "DC=MyDomain" $TLD = "DC=Com" $FullDomain = "$($Domain),$($TLD)" $Site = "HeadOffice" $Prefix = "ABCD-" New-GPO "My New Policy" -Comment "$($GPOCreateDate): Created by Philip Elder." New-GPLink -Name "Default Domain Computers Security Policy" -Target "$($FullDomain)" -LinkEnabled Yes -Enforced Yes

Comments (3)

Albert Widjaja

IT Professional

Commented: 2019-06-10

Hi Shaun,

Thanks for sharing this great idea.

May I know if the section 1) Computer Description Update Process - a) Delegation must be executed on the root domain or this can be done on the default Computers OU and each of the OU where AD computer object is found?

Awarded 2017

Distinguished Expert 2019

Author

Commented: 2019-06-11

Both will work. Root is easier because object can be anywhere but delegation on a sub OU is better practice

Philip Elder

Senior Technical Architect - HA/Compute/Storage

Most Valuable Expert 2021

Distinguished Expert 2023

Commented: 2022-06-08

How does the .EXE interact with ADDS to create all of those objects please?

The above is for Step C which I think would fall in line with the step-by-step process to let folks know how to do that in PoSh?