161 Recipe 5.6 Moving the Objects in an OU to a Different OU 5.6.1 Problem You want to move some or all of the objects in an OU to a different OU. You may need to do this as part of a domain restructuring effort. 5.6.2 Solution 5.6.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK. 3. In the left pane, browse to the OU that contains the objects you want to move and click on it. 4. Highlight the objects in the right pane you want to move, right-click on them, and select "Move." 5. Browse to the parent container you want to move the objects to, click on it. 6. Click OK. 7. Press F5 to refresh the contents of the OU. If objects still exist, repeat the previous three steps. 5.6.2.2 Using a command-line interface > for /F "usebackq delims=""" %i in (`dsquery * "<OldOrgUnitDN>" -scope onelevel`)[RETURN] do dsmove -newparent "<NewOrgUnitDN>" %i 5.6.2.3 Using VBScript ' This code moves objects from the "old" OU to the "new" OU ' SCRIPT CONFIGURATION strOldOrgUnit = "<OldOrgUnitDN>" ' e.g. ou=Eng Tools,dc=rallencorp,dc=com strNewOrgUnit = "<NewOrgUnitDN>" ' e.g. ou=Tools,dc=rallencorp,dc=com ' END CONFIGURATION set objOldOU = GetObject("LDAP://" & strOldOrgUnit) set objNewOU = GetObject("LDAP://" & strNewOrgUnit) for each objChildObject in objOldOU Wscript.Echo "Moving " & objChildObject.Name objNewOU.MoveHere objChildObject.ADsPath, objChildObject.Name next 5.6.3 Discussion 5.6.3.1 Using a graphical user interface 162 If you want to move more than 2,000 objects at one time, you will need to modify the default number of objects displayed as described in Discussion section of Recipe 5.3. 5.6.3.2 Using a command-line interface Since dsmove can move only one object at a time, I had to use the for command to iterate over each child object returned from dsquery. Also note that if you want to move more than 100 objects, you'll need to specify the -limit xx option with dsquery, where xx is the maximum number of objects to move (use 0 for all). 5.6.3.3 Using VBScript For more information on the MoveHere method, see Recipe 4.17. 5.6.4 See Also Recipe 4.17 for moving objects, Recipe 5.3 for enumerating objects in an OU, and MSDN: IADsContainer::MoveHere Recipe 5.6 Moving the Objects in an OU to a Different OU 5.6.1 Problem You want to move some or all of the objects in an OU to a different OU. You may need to do this as part of a domain restructuring effort. 5.6.2 Solution 5.6.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK. 3. In the left pane, browse to the OU that contains the objects you want to move and click on it. 4. Highlight the objects in the right pane you want to move, right-click on them, and select "Move." 5. Browse to the parent container you want to move the objects to, click on it. 6. Click OK. 7. Press F5 to refresh the contents of the OU. If objects still exist, repeat the previous three steps. 5.6.2.2 Using a command-line interface 163 > for /F "usebackq delims=""" %i in (`dsquery * "<OldOrgUnitDN>" -scope onelevel`)[RETURN] do dsmove -newparent "<NewOrgUnitDN>" %i 5.6.2.3 Using VBScript ' This code moves objects from the "old" OU to the "new" OU ' SCRIPT CONFIGURATION strOldOrgUnit = "<OldOrgUnitDN>" ' e.g. ou=Eng Tools,dc=rallencorp,dc=com strNewOrgUnit = "<NewOrgUnitDN>" ' e.g. ou=Tools,dc=rallencorp,dc=com ' END CONFIGURATION set objOldOU = GetObject("LDAP://" & strOldOrgUnit) set objNewOU = GetObject("LDAP://" & strNewOrgUnit) for each objChildObject in objOldOU Wscript.Echo "Moving " & objChildObject.Name objNewOU.MoveHere objChildObject.ADsPath, objChildObject.Name next 5.6.3 Discussion 5.6.3.1 Using a graphical user interface If you want to move more than 2,000 objects at one time, you will need to modify the default number of objects displayed as described in Discussion section of Recipe 5.3. 5.6.3.2 Using a command-line interface Since dsmove can move only one object at a time, I had to use the for command to iterate over each child object returned from dsquery. Also note that if you want to move more than 100 objects, you'll need to specify the -limit xx option with dsquery, where xx is the maximum number of objects to move (use 0 for all). 5.6.3.3 Using VBScript For more information on the MoveHere method, see Recipe 4.17. 5.6.4 See Also Recipe 4.17 for moving objects, Recipe 5.3 for enumerating objects in an OU, and MSDN: IADsContainer::MoveHere Recipe 5.7 Moving an OU 5.7.1 Problem You want to move an OU and all its child objects to a different location in the directory tree. 164 5.7.2 Solution 5.7.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK. 3. In the left pane, browse to the OU you want to move. 4. Right-click on the OU and select Move. 5. Select the new parent container for the OU and click OK. 5.7.2.2 Using a command-line interface > dsmove "<OrgUnitDN>" -newparent "<NewParentDN>" 5.7.2.3 Using VBScript set objOU = GetObject("LDAP://<NewParentDN>") objOU.MoveHere "LDAP://<OrgUnitDN>", "<OrgUnitRDN>" 5.7.3 Discussion One of the benefits of Active Directory is the ability to structure and restructure data easily. Moving an OU, even one that contains a complex hierarchy of other OUs and objects, can be done without impacting the child objects. If any applications have a dependency on the location of specific objects, you need to ensure they are either updated with the new location or preferably, reference the objects by GUID, not by distinguished name. You should also be mindful of the impact of inherited ACLs and applied group policy on the new parent OU. 5.7.4 See Also MS KB 313066 (HOW TO: Move Users, Groups, and Organizational Units Within a Domain in Windows 2000) and MSDN: IADsContainer::MoveHere Recipe 5.8 Determining How Many Child Objects an OU Has This recipe requires the Windows Server 2003 domain functional level. 165 5.8.1 Problem You want to determine if an OU has any child objects or determine how many child objects it contains. 5.8.2 Solution 5.8.2.1 Using a graphical user interface 1. Open LDP. 2. From the Menu, select Browse Search. 3. For Base Dn, enter <OrgUnitDN>. 4. For Filter, enter (objectclass=*). 5. For Scope, select Base. 6. Click the Options button and enter msDS-Approx-Immed-Subordinates For Attributes. 7. Click OK and Run. 8. The results will be displayed in the right pane. 5.8.2.2 Using a command-line interface > dsquery * "<OrgUnitDN>" -scope base -attr msDS-Approx-Immed-Subordinates 5.8.2.3 Using VBScript ' This code displays the approximate number of child objects for an OU set objOU = GetObject("LDAP://<OrgUnitDN>") objOU.GetInfoEx Array("msDS-Approx-Immed-Subordinates"), 0 WScript.Echo "Number of child objects: " & _ objOU.Get("msDS-Approx-Immed-Subordinates") 5.8.3 Discussion The msDS-Approx-Immed-Subordinates attribute is new to Windows Server 2003. It contains the approximate number of direct child objects in a container or organizational unit. Note that this is an approximation and can be off by 10% of the actual total for large containers. The main reason for adding this attribute was to give applications an idea of how many objects a container has so that it can display them accordingly. msDS-Approx-Immed-Subordinates is a constructed attribute, that is, the value is not actually stored in Active Directory like other attributes. Active Directory computes the value when an application asks for it. In the VBScript solution, the GetInfoEx method had to be called because some constructed attributes, such as this one, are not retrieved when GetInfo or Get is called. You can accomplish similar functionality with Windows 2000 Active Directory, but you need to perform a onelevel search against the OU and count the number of objects returned. This method is by no means as efficient as using msDS-Approx-Immed-Subordinates in Windows Server 2003. 166 5.8.4 See Also MSDN: GetInfoEx Recipe 5.9 Delegating Control of an OU 5.9.1 Problem You want to delegate administrative access of an OU to allow a group of users to manage objects in the OU. 5.9.2 Solution 5.9.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK. 3. In the left pane, browse to the target OU, right-click on it, and select Delegate Control. 4. Select the users and/or groups to delegate control to by using the Add button and click Next. 5. Select the type of privilege to grant the users/groups and click Next. 6. Click Finish. 5.9.2.2 Using a command-line interface ACLs can be set via a command-line with the dsacls utility from the Support Tools. See Recipe 14.10 for more information. 5.9.3 Discussion Although you can delegate control of an OU to a particular user, it is generally a better practice to use a group instead. Even if there is only one user to delegate control to, you should create a group, add that user as a member, and use that group in the ACL. That way, in the future when you have to replace that user with someone else, you can make sure the new person is in the correct group instead of modifying ACLs again. 5.9.4 See Also Recipe 14.10 for changing the ACL on an object 167 Recipe 5.10 Allowing OUs to Be Created Within Containers 5.10.1 Problem You want to create an OU within a container. By default, you cannot create OUs within container objects due to restrictions in the Active Directory schema. 5.10.2 Solution 5.10.2.1 Using a graphical user interface 1. Open the Active Directory Schema snap-in as a user that is a member of the Schema Admins group. See Recipe 10.1 for more on using the Schema snap-in. 2. Expand the Classes folder, right-click on the organizationalUnit class, and select Properties. 3. Select the Relationship tab and, next to Possible Superior, click Add Superior (Windows Server 2003) or Add (Windows 2000). 4. Select container and click OK. 5. Click OK. 5.10.2.2 Using a command-line interface Create an LDIF file called ou_in_container.ldf with the following contents: dn: cn=organizational-unit,cn=schema,cn=configuration,<ForestRootDN> changetype: modify add: possSuperiors possSuperiors: container - then run the ldifde command to import the change: > ldifde -i -f ou_in_container.ldf 5.10.2.3 Using VBScript ' This code modifies the schema so that OUs can be created within containers Const ADS_PROPERTY_APPEND = 3 set objRootDSE = GetObject("LDAP://RootDSE") set objOUClass = GetObject("LDAP://cn=organizational-unit," & _ objRootDSE.Get("schemaNamingContext") ) objOUClass.PutEx ADS_PROPERTY_APPEND, "possSuperiors", Array("container") objOUClass.SetInfo 168 5.10.3 Discussion Allowing OUs to be created within containers requires a simple modification to the schema. You have to make the container class one of the possible superiors (possSuperiors attribute) for the organizationalUnit class. 5.10.4 See Also Recipe 10.1 for using the Schema snap-in and MS KB 224377 (Configuring Different Containers to Hold Organizational Units) Recipe 5.11 Linking a GPO to an OU 5.11.1 Problem You want to apply the settings in a GPO to the users and/or computers within an OU, also known as linking the GPO to the OU. 5.11.2 Solution 5.11.2.1 Using a graphical user interface 1. Open the Group Policy Management (GPMC) snap-in. 2. Expand Forest in the left pane. 3. Expand Domain and navigate down to the OU in the domain you want to link the GPO to. 4. Right-click on the OU and select either Create and Link a GPO Here (if the GPO does not already exist) or Link an Existing GPO (if you have already created the GPO). 5.11.2.2 Using VBScript ' This code links a GPO to an OU in the specified domain ' SCRIPT CONFIGURATION strDomainDN = "<DomainDN>" ' e.g. dc=rallencorp,dc=com strGPO = "<GPOName>" ' e.g. WorkstationsGPO strOUDN = "<OrgUnitDN>" ' e.g. ou=Workstations,dc=rallencorp,dc=com ' END CONFIGURATION strBaseDN = "<LDAP://cn=policies,cn=system,dc=" & strDomainDN & ">;" strFilter = "(&(objectcategory=grouppolicycontainer)" & _ "(objectclass=grouppolicycontainer)" & _ "(displayname=" & strGPO & "));" strAttrs = "ADsPath;" strScope = "OneLevel" set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strBaseDN & strFilter & strAttrs & strScope) if objRS.EOF <> TRUE then objRS.MoveFirst 169 end if if objRS.RecordCount = 1 then strGPOADsPath = objRS.Fields(0).Value WScript.Echo "GPO Found: " & strGPOADsPath elseif objRS.RecordCount = 0 then WScript.Echo "Did not founding matching GPO for: " & strGPO Wscript.Quit elseif objRS.RecordCount > 1 then WScript.Echo "More than 1 GPO found matching: " & strGPO Wscript.Quit end if set objOU = GetObject("LDAP://" & strOUDN) on error resume next strGPLink = objOU.Get("gpLink") if Err.Number then if Err.Number <> -2147463155 then WScript.Echo "Fatal error while retrieving gpLink attribute: " & _ Err.Description Wscript.Quit end if end if on error goto 0 objOU.Put "gpLink", strGPLink & "[" & strGPOADsPath & ";0]" objOU.SetInfo WScript.Echo "GPO successfully linked" 5.11.3 Discussion The GPOs that are linked to an OU are stored in the gpLink attribute of the OU. The format of the gpLink attribute is kind of strange, so you have to be careful when programmatically or manually setting that attribute. Since multiple GPOs can be linked to an OU, the gpLink attribute has to store multiple values; unfortunately, it does not store them as you might expect in a multivalued attribute. Instead, the links are stored as part of the single-valued gpLink attribute. The ADsPath of each linked GPO is concatenated into a string, with each enclosed in square brackets. The ADsPath for each GPO is followed by ;0 to signify the link is enabled or ;1 to signify the link is disabled. Here is an example gpLink with two GPOs linked: [LDAP://cn={6491389E-C302-418C-8D9D- BB24E65E7507},cn=policies,cn=system,DC=rallencorp,DC=com;0][LDAP://cn={6AC178 6C-016F- 11D2-945F-00C04fB984F9},cn=policies,cn=system,DC=rallencorp,DC=com;0] A much better VBScript solution for linking GPOs is described in Recipe 9.12, which uses the GPMC APIs. 170 5.11.4 See Also Introduction in Chapter 9 for more information on GPMC, and MS KB 248392 (Scripting the Addition of Group Policy Links) . effort. 5.6.2 Solution 5.6.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. If you need to change domains, right-click on " ;Active Directory. objects to move (use 0 for all). 5.6.3.3 Using VBScript For more information on the MoveHere method, see Recipe 4.17. 5.6.4 See Also Recipe 4.17 for moving objects, Recipe 5.3 for enumerating objects. effort. 5.6.2 Solution 5.6.2.1 Using a graphical user interface 1. Open the Active Directory Users and Computers snap-in. 2. If you need to change domains, right-click on " ;Active Directory