Batch script to move users to different OUs

Hi there,
We're almost ready to re-direct the default computers location and to set up a GPO startup script to move the machines from the default location to a OU based on their hardware type. This move is based on a file which is created when the machine is imaged.

Here is the batch script, please let me know if you see any problems...
I've replaced all site specifics with placeholders in []s

@echo off
setlocal enabledelayedexpansion
set SEPARATOR=/
set currentline=
set LogFile=%Temp%\%~n0.log

set MoveUser=[Domain user with priviledges to move computers]
set MovePwd=[Above user's password[
set Root=dc=[something],dc=[somewhere],dc=[somewhere]
set ComputersDN=ou=Workstations,%root%
set Desktop=ou=Desktops,ou=Workstations,%root%
set Laptop=ou=ou=Laptops,Workstations,%root%
set TargetDN=

if not exist C:\WINDOWS\[FOLDER]\SysInfo\CHASSIS.TXT goto end
for /f %%a in (C:\WINDOWS\[FOLDER]\SysInfo\CHASSIS.TXT) do (
set currentline=%%a
)
if /i %currentline% == LAPTOP set TargetDN=%Laptop%
if /i %currentline% == DESKTOP set TargetDN=%Desktop%

echo %Date% %Time% About to move "%ComputerName%" to "%TargetDN%":
>>"%LogFile%" echo %Date% %Time% About to move "%ComputerName%" to "%TargetDN%":

dsquery computer "%ComputersDN%" -name %ComputerName% | dsmove computer -newparent "%TargetDN%" -u %MoveUser% -p %MovePwd% >>"%LogFile%" 2>&1

:end

Thanks in advance

I think that you can also move the computer accounts using a text file with computer names. You can use WMI to read your chassis.txt file, but better is to use WMI to read the chassis type directrly. It will require a VBScript or PowerShell program, check below for instance:

http://www.microsoft.com/technet/scr..._cpm_btnz.mspx

Thanks for the reply.

Yes it does display the password in cleartext :( I'm thinking about using something like bat to exe converter to make it alittle harder to figure out what it is.

We're looking at redirecting the default computers location to point to a new OU with the following command ran from the primary DC: redircmp OU=Default Computer Location,DC=[domain],DC=co,DC=nz

We'd then move all computer objects from what was the default container to the new one and link a GPO which runs the script in my first post as a startup script.

The CHASSIS.TXT file is created by the build process and isn't something we can change, it simply contains the text "Desktop" or "Laptop".

We've tested the script as far as we can without running it "for real", with the output being: Mon 22/12/2008 15:45:15.83 About to move "[HOST NAME]" to "ou=ou=laptops,workstations,dc=[DOMAIN],dc=ac,dc=nz":
I've blanked out site specifics again, with hostname and domain :)

I'm not 100% about the dsquery though and was looking to confirm this is a method similar to what others have working in production? It seems to follow Microsoft recommendations: http://support.microsoft.com/kb/324949

Thanks for your thoughts and comments

Just removed a extra ou= in the line
set Laptop=ou=laptops,workstations,%root%

Opps :)

It will be a bad idea because if someone reads the script then they can do what they want, since the password will be in clear text, to these computer accounts including deleting them and if you have auditing enabled then it will show this account as the problem which wont help. You must be able to write a script to output hardware type and from there you can either manually move these or batch move them.

We've already got scripts that show the hardware types (and collate them)

The issue is that we'd prefer for these machine to manage themselfs.
I understand the security concerns and simply won't release the script in plaintext as it is here. I'm working on encrypting the password and changing the script so its not plain text as well.

Besides the plaintext password, which is obviously a no-go, is there anything wrong with moving machines automatically this way rather then manually shifting them?