Batch script to move users to different OUs

[Serrix]

Hi there,
We're almost ready to re-direct the default computers location and to set up a GPO startup script to move the machines from the default location to a OU based on their hardware type. This move is based on a file which is created when the machine is imaged.

Here is the batch script, please let me know if you see any problems...
I've replaced all site specifics with placeholders in []s

@echo off
setlocal enabledelayedexpansion
set SEPARATOR=/
set currentline=
set LogFile=%Temp%\%~n0.log

set MoveUser=[Domain user with priviledges to move computers]
set MovePwd=[Above user's password[
set Root=dc=[something],dc=[somewhere],dc=[somewhere]
set ComputersDN=ou=Workstations,%root%
set Desktop=ou=Desktops,ou=Workstations,%root%
set Laptop=ou=ou=Laptops,Workstations,%root%
set TargetDN=

if not exist C:\WINDOWS\[FOLDER]\SysInfo\CHASSIS.TXT goto end
for /f %%a in (C:\WINDOWS\[FOLDER]\SysInfo\CHASSIS.TXT) do (
set currentline=%%a
)
if /i %currentline% == LAPTOP set TargetDN=%Laptop%
if /i %currentline% == DESKTOP set TargetDN=%Desktop%

echo %Date% %Time% About to move "%ComputerName%" to "%TargetDN%":
>>"%LogFile%" echo %Date% %Time% About to move "%ComputerName%" to "%TargetDN%":

dsquery computer "%ComputersDN%" -name %ComputerName% | dsmove computer -newparent "%TargetDN%" -u %MoveUser% -p %MovePwd% >>"%LogFile%" 2>&1

:end

Thanks in advance

"Serrix" <Serrix.3kskjc@DoNotSpam.com> wrote in message
news:Serrix.3kskjc@DoNotSpam.com...
>
> Hi there,
> We're almost ready to re-direct the default computers location and to
> set up a GPO startup script to move the machines from the default
> location to a OU based on their hardware type. This move is based on a
> file which is created when the machine is imaged.
>
> Here is the batch script, please let me know if you see any
> problems...
> I've replaced all site specifics with placeholders in []s
>
> @echo off
> setlocal enabledelayedexpansion
> set SEPARATOR=/
> set currentline=
> set LogFile=%Temp%\%~n0.log
>
> set MoveUser=[Domain user with priviledges to move computers]
> set MovePwd=[Above user's password[
> set Root=dc=[something],dc=[somewhere],dc=[somewhere]
> set ComputersDN=ou=Workstations,%root%
> set Desktop=ou=Desktops,ou=Workstations,%root%
> set Laptop=ou=ou=Laptops,Workstations,%root%
> set TargetDN=
>
> if not exist C:\WINDOWS\[FOLDER]\SysInfo\CHASSIS.TXT goto end
> for /f %%a in (C:\WINDOWS\[FOLDER]\SysInfo\CHASSIS.TXT) do (
> set currentline=%%a
> )
> if /i %currentline% == LAPTOP set TargetDN=%Laptop%
> if /i %currentline% == DESKTOP set TargetDN=%Desktop%
>
> echo %Date% %Time% About to move "%ComputerName%" to "%TargetDN%":
>>>"%LogFile%" echo %Date% %Time% About to move "%ComputerName%" to
> "%TargetDN%":
>
> dsquery computer "%ComputersDN%" -name %ComputerName% | dsmove computer
> -newparent "%TargetDN%" -u %MoveUser% -p %MovePwd% >>"%LogFile%" 2>&1
>
> :end
>
> Thanks in advance
>

I've never tried, so I don't know if a computer account can move itself. In
any case, doesn't this expose the credentials (username and password)? I
would think you could move the computer accounts yourself, perhaps using a
text file with computer names. You could use WMI to read your chassis.txt
file, but better yet might be to use WMI to read the chassis type directly.
This would require a VBScript or PowerShell program. For example:

http://www.microsoft.com/technet/scr..._cpm_btnz.mspx

If you bind to the computer object with the Distinguished Name, you can then
bind to the parent container object (using the Parent method), then use the
MoveHere method to move the object. Doing this remotely in bulk gets it all
done at once, and you don't need to worry about the StartUp script running
repeatedly. Does your batch file above attempt to move the computer every
time it starts?

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

[Serrix]

Hi Richard,
Thanks for the reply.

Yes it does display the password in cleartext :( I'm thinking about using something like bat to exe converter to make it alittle harder to figure out what it is.

We're looking at redirecting the default computers location to point to a new OU with the following command ran from the primary DC: redircmp OU=Default Computer Location,DC=[domain],DC=co,DC=nz

We'd then move all computer objects from what was the default container to the new one and link a GPO which runs the script in my first post as a startup script.

The CHASSIS.TXT file is created by the build process and isn't something we can change, it simply contains the text "Desktop" or "Laptop".

We've tested the script as far as we can without running it "for real", with the output being: Mon 22/12/2008 15:45:15.83 About to move "[HOST NAME]" to "ou=ou=laptops,workstations,dc=[DOMAIN],dc=ac,dc=nz":
I've blanked out site specifics again, with hostname and domain :)

I'm not 100% about the dsquery though and was looking to confirm this is a method similar to what others have working in production? It seems to follow Microsoft recommendations: http://support.microsoft.com/kb/324949

Thanks for your thoughts and comments

[Serrix]

Just removed a extra ou= in the line
set Laptop=ou=laptops,workstations,%root%

Opps :)

I would agree with Richard this is a really bad idea. If someone reads the
script they can do what they want (Since the password is in clear text) to
these computer accounts including deleting them and if you have auditng
enabled it would show this account as the culprit, not much help. You
should be able to write a script to output hardware type (Again as Richard
recommended) and from there you either manually move these or batch move
them.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:ew8igP9YJHA.2124@TK2MSFTNGP04.phx.gbl...
>
> "Serrix" <Serrix.3kskjc@DoNotSpam.com> wrote in message
> news:Serrix.3kskjc@DoNotSpam.com...
>>
>> Hi there,
>> We're almost ready to re-direct the default computers location and to
>> set up a GPO startup script to move the machines from the default
>> location to a OU based on their hardware type. This move is based on a
>> file which is created when the machine is imaged.
>>
>> Here is the batch script, please let me know if you see any
>> problems...
>> I've replaced all site specifics with placeholders in []s
>>
>> @echo off
>> setlocal enabledelayedexpansion
>> set SEPARATOR=/
>> set currentline=
>> set LogFile=%Temp%\%~n0.log
>>
>> set MoveUser=[Domain user with priviledges to move computers]
>> set MovePwd=[Above user's password[
>> set Root=dc=[something],dc=[somewhere],dc=[somewhere]
>> set ComputersDN=ou=Workstations,%root%
>> set Desktop=ou=Desktops,ou=Workstations,%root%
>> set Laptop=ou=ou=Laptops,Workstations,%root%
>> set TargetDN=
>>
>> if not exist C:\WINDOWS\[FOLDER]\SysInfo\CHASSIS.TXT goto end
>> for /f %%a in (C:\WINDOWS\[FOLDER]\SysInfo\CHASSIS.TXT) do (
>> set currentline=%%a
>> )
>> if /i %currentline% == LAPTOP set TargetDN=%Laptop%
>> if /i %currentline% == DESKTOP set TargetDN=%Desktop%
>>
>> echo %Date% %Time% About to move "%ComputerName%" to "%TargetDN%":
>>>>"%LogFile%" echo %Date% %Time% About to move "%ComputerName%" to
>> "%TargetDN%":
>>
>> dsquery computer "%ComputersDN%" -name %ComputerName% | dsmove computer
>> -newparent "%TargetDN%" -u %MoveUser% -p %MovePwd% >>"%LogFile%" 2>&1
>>
>> :end
>>
>> Thanks in advance
>>
>
> I've never tried, so I don't know if a computer account can move itself.
> In any case, doesn't this expose the credentials (username and password)?
> I would think you could move the computer accounts yourself, perhaps using
> a text file with computer names. You could use WMI to read your
> chassis.txt file, but better yet might be to use WMI to read the chassis
> type directly. This would require a VBScript or PowerShell program. For
> example:
>
> http://www.microsoft.com/technet/scr..._cpm_btnz.mspx
>
> If you bind to the computer object with the Distinguished Name, you can
> then bind to the parent container object (using the Parent method), then
> use the MoveHere method to move the object. Doing this remotely in bulk
> gets it all done at once, and you don't need to worry about the StartUp
> script running repeatedly. Does your batch file above attempt to move the
> computer every time it starts?
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>

[Serrix]

Thanks Paul,
We've already got scripts that show the hardware types (and collate them)

The issue is that we'd prefer for these machine to manage themselfs.
I understand the security concerns and simply won't release the script in plaintext as it is here. I'm working on encrypting the password and changing the script so its not plain text as well.

Besides the plaintext password, which is obviously a no-go, is there anything wrong with moving machines automatically this way rather then manually shifting them?

None that I know of.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.
"Serrix" <Serrix.3ku9nc@DoNotSpam.com> wrote in message
news:Serrix.3ku9nc@DoNotSpam.com...
>
> Thanks Paul,
> We've already got scripts that show the hardware types (and collate
> them)
>
> The issue is that we'd prefer for these machine to manage themselfs.
> I understand the security concerns and simply won't release the script
> in plaintext as it is here. I'm working on encrypting the password and
> changing the script so its not plain text as well.
>
> Besides the plaintext password, which is obviously a no-go, is there
> anything wrong with moving machines automatically this way rather then
> manually shifting them?
>
>
> --
> Serrix
> ------------------------------------------------------------------------
> Serrix's Profile: http://forums.techarena.in/members/serrix.htm
> View this thread: Batch script to move users to different OUs
>
> http://forums.techarena.in
>