Solved

Change Default Domain Users to OU level users

Posted on 2007-04-03
6
561 Views
Last Modified: 2008-05-31
I have a domain that spans many sites.  I have set up AD to geographically indicate where each site is based on the continent they are located.  Every site has an admin there and the OU for that site has delegated control to him/her to administer their respective site.  Each site OU has four containers, Groups, Users, Computers, and Servers.  I would like to change something....   When a site admin creates a new user, I would like it to default to the Users folder in that site's OU instead of Domain Users or Users.  I hope this makes sense and how do I accomplish that?

TIA!!
0
Comment
Question by:TIA_IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 18845580
Ref: http://support.microsoft.com/kb/324949
Redirecting CN=Users to an administrator-specified organizational unit
1. Log on with domain administrator credentials in the z domain where the CN=Users container is being redirected.
2. Transition the domain to the Windows Server 2003 domain functional level in either the Active Directory Users and Computers snap-in (Dsa.msc) or the Domains and Trusts (Domains.msc) snap-in. For additional information about increasing the domain functional level, click the following article number to view the article in the Microsoft Knowledge Base:
322692 (http://support.microsoft.com/kb/322692/) How to raise domain and forest functional levels in Windows Server 2003  
3. Create the organizational unit container where you want users that are created with earlier-version APIs to reside (if the desired OU container does not already exist).
4. Run Redirusr.exe from the command prompt by using the following syntax, where container-dn is the distinguished name of the organizational unit that will become the default location for newly-created user objects created by down-level APIs:
c:\windows\system32\redirusr container-dn
Redirusr is installed in the %SystemRoot%\System32 folder on new and upgraded Windows Server 2003-based computers. For example, to change the default location for users created with down-level APIs such as Net User to the OU=Users OU container in the CORP.COM domain, use the following syntax:
c:\windows\system32>redirusr ou=myusers,DC=company,dc=com
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18845633
Keep in mind that redirusr will only allow you to redirect to a single OU; it does not have the necessary logic to say "Houston users should go in the Houston OU, Charlotte Users should go in the Charlotte OU", etc.  For that level of granularity you'll need some sort of provisioning system, either home-grown or purchased from a third-party vendor.

Redirusr will allow you to say "All new users created will go to the NewUsersOU rather than the Users Containter", nothing more.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 

Author Comment

by:TIA_IT
ID: 18845736
Laura, actually that's what I'm looking for.  My Boston admin has a BST OU and a Users folder. When he creates a new user, that user gets bst+first initial+lastname and I would like that user account to be located in the Users folder in BST with memberships of BST-GG-ALL_USERS.    Same would go for any other of the 135 sites that we have.  The site admin creates the user, and the new account gets created in the respective OU for that site under Users, along with defaulted membership to the global group for ALL_USERS for that site.

So what I'm asking for is a third party deal?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18845805
There's unfortunately nothing native to AD, including redirusr, that will give you the kind of business logic that you're describing.  

If you want to stick with free tools, you would need to do something like run a scheduled task every hour that searches through the AllUsersOU, and if it finds a user with the first 3 letters of BST, moves that user to the BST OU.  This would be reactive rather than proactive, but it would still accomplish the same thing.

I don't have one single script handy that will do all of that logic from beginning to end, but you could certainly cobble together the vbscript to do the search & move logic from a book like the Active Directory Cookbook.  (Shameless plug, I wrote it.  ;-)  However, the un-annotated VBScript code is available for free here: http://techtasks.com/code/viewbook/2)

Laura

0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 19708205

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup Zone:
ACCEPT: LauraEHunterMVP {18845805}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Chris-Dent
Experts Exchange Cleanup Volunteer
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question