Solved

Change Default Domain Users to OU level users

Posted on 2007-04-03
6
542 Views
Last Modified: 2008-05-31
I have a domain that spans many sites.  I have set up AD to geographically indicate where each site is based on the continent they are located.  Every site has an admin there and the OU for that site has delegated control to him/her to administer their respective site.  Each site OU has four containers, Groups, Users, Computers, and Servers.  I would like to change something....   When a site admin creates a new user, I would like it to default to the Users folder in that site's OU instead of Domain Users or Users.  I hope this makes sense and how do I accomplish that?

TIA!!
0
Comment
Question by:TIA_IT
6 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 18845580
Ref: http://support.microsoft.com/kb/324949
Redirecting CN=Users to an administrator-specified organizational unit
1. Log on with domain administrator credentials in the z domain where the CN=Users container is being redirected.
2. Transition the domain to the Windows Server 2003 domain functional level in either the Active Directory Users and Computers snap-in (Dsa.msc) or the Domains and Trusts (Domains.msc) snap-in. For additional information about increasing the domain functional level, click the following article number to view the article in the Microsoft Knowledge Base:
322692 (http://support.microsoft.com/kb/322692/) How to raise domain and forest functional levels in Windows Server 2003  
3. Create the organizational unit container where you want users that are created with earlier-version APIs to reside (if the desired OU container does not already exist).
4. Run Redirusr.exe from the command prompt by using the following syntax, where container-dn is the distinguished name of the organizational unit that will become the default location for newly-created user objects created by down-level APIs:
c:\windows\system32\redirusr container-dn
Redirusr is installed in the %SystemRoot%\System32 folder on new and upgraded Windows Server 2003-based computers. For example, to change the default location for users created with down-level APIs such as Net User to the OU=Users OU container in the CORP.COM domain, use the following syntax:
c:\windows\system32>redirusr ou=myusers,DC=company,dc=com
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 18845633
Keep in mind that redirusr will only allow you to redirect to a single OU; it does not have the necessary logic to say "Houston users should go in the Houston OU, Charlotte Users should go in the Charlotte OU", etc.  For that level of granularity you'll need some sort of provisioning system, either home-grown or purchased from a third-party vendor.

Redirusr will allow you to say "All new users created will go to the NewUsersOU rather than the Users Containter", nothing more.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 

Author Comment

by:TIA_IT
ID: 18845736
Laura, actually that's what I'm looking for.  My Boston admin has a BST OU and a Users folder. When he creates a new user, that user gets bst+first initial+lastname and I would like that user account to be located in the Users folder in BST with memberships of BST-GG-ALL_USERS.    Same would go for any other of the 135 sites that we have.  The site admin creates the user, and the new account gets created in the respective OU for that site under Users, along with defaulted membership to the global group for ALL_USERS for that site.

So what I'm asking for is a third party deal?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 500 total points
ID: 18845805
There's unfortunately nothing native to AD, including redirusr, that will give you the kind of business logic that you're describing.  

If you want to stick with free tools, you would need to do something like run a scheduled task every hour that searches through the AllUsersOU, and if it finds a user with the first 3 letters of BST, moves that user to the BST OU.  This would be reactive rather than proactive, but it would still accomplish the same thing.

I don't have one single script handy that will do all of that logic from beginning to end, but you could certainly cobble together the vbscript to do the search & move logic from a book like the Active Directory Cookbook.  (Shameless plug, I wrote it.  ;-)  However, the un-annotated VBScript code is available for free here: http://techtasks.com/code/viewbook/2)

Laura

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 19708205

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup Zone:
ACCEPT: LauraEHunterMVP {18845805}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Chris-Dent
Experts Exchange Cleanup Volunteer
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now