RIS Remove Old Computer Account/ Create New One

[mojoxp]

Is there any setting in the SIF files, Group Policy on the RIS server, etc... that can force a computer that already has a Computer Account to either delete its old account and create a new one, or to move itself to a new OU during RIS?

After we RIS our machines we want to put them in the DOMAIN\RISED OU, and from there we have an HTA application that comes up and asks the user a set of questions as to where to put the computer. A VBS script then runs and moves the computer to the proper OU. The problem is that if the computer that was just RISed doesn't end up in the RISED OU then it doesn't get the HTA application.

I guess the alternative would be to have a run-once script that moves the computer after RIS to the RISED OU and then to GPUPDATE /FORCE /BOOT... but I was hoping for another way around it.

[cluberti]

You can choose which OU a machine is created in via the OSChooser screens if the domain is a 2003 domain. Otherwise, you have to do it post-RIS.

[mojoxp]

It is a 2003 Domain, but the problem is that RIS uses the computer's "old" computer account, so it doesn't create a new one and thusly uses the old account's OU.

[Judge_MC1]

AFAIK there is no way to delete a computer account (without some nonstandard smarts) during or before RIS. RIS does allow you to choose the OU you wish RISed computer accounts to be created in. You can do it one of two ways.

1. In AD Users and Computers, right click the RIS server and choose properties, then Remote Install tab. Click the advanced settings button and change the default location for computer accounts to be created in.

2. When you boot a computer with RIS choose the Custom Setup and you will be able to change where the computer account is created.

If the computer account already exists then it will be reused. Move the computer account to the correct OU before beginning the RIS build. Computer accounts should be reused. You can always prestage computer accounts in their correct OU's using GUID's or MAC address.

Personally I wouldnt bother moving to a temporary RIS OU (if the computer was already in the correct OU why move it just for a RIS build), just means you then need to move the computer to another OU later. A cleaner way of performing this would be to run the domain setup VBS script from RunOnce or a login script as you mentioned previously.

Edited April 13, 2006 by Judge_MC1

[mojoxp]

Okay, incase it ever comes up again here's what i did... i've got a script set to run in the ristndrd.sif file with the lines:

[GuiUnattended]
OemSkipWelcome = 1
AdminPassword="<REMOVED PASSWORD>"
EncryptedAdminPassword=NO
AutoLogon=Yes
AutoLogonCount=1
[GuiRunOnce]
	Command0="C:\windows\system32\pris3\pris3.hta"

The HTA file prompts the user for some input and then puts it in the correct OU. Here's the code for the OU moving. The login used to authenticate has the ability to create and delete computer accounts accross the domain.

' Declare all of our variables 
Dim objConnection
Dim objCommand
Dim objRecordSet
Dim objOU
Dim strADsPath
Dim WshNetwork
Dim strCurrent
Dim objDSO
Dim objDOU
Dim objMove

const ADS_SECURE_AUTHENTICATION = &h1
const ADS_SERVER_BIND = &h200

' Make sure we keep on keeping on
On Error Resume Next

' Set the scope so that it will go into all the OUs
Const ADS_SCOPE_SUBTREE = 2

' Connect up to Active Directory
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

' Get the computer's current name off the Network interface
Set WshNetwork = WScript.CreateObject("WScript.Network")
strCurrent = WSHNetwork.ComputerName

' Limit the size of the page from ADS so that an bad query doesnt kill the domain
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

' Find the current computer in Active Directory
objCommand.CommandText = _
	"SELECT ADsPath FROM 'LDAP://<DOMAIN>' WHERE objectCategory='computer' " & _
		"AND name='" & strCurrent & "'"
' Run the query above
Set objRecordSet = objCommand.Execute

' There should only be one entry here, but if there isnt we run it on all computer objects that match
objRecordSet.MoveFirst
' Get the full CN of the computer
	strADsPath = objRecordSet.Fields("ADsPath").Value
' Set the destination we want it moved to
	Set objDSO = GetObject("LDAP:")
	Set objDOU = objDSO.OpenDSObject("LDAP://OU=<DESTINATION OU>, DC=<DOMAIN>", "<DOMAIN USER>" , "<DOMAIN USER PASSWORD>", ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND)
'Execute the move
	Set objMove = objDOU.MoveHere (strADsPath, vbNullString)

[Fencer128]

Hi,

Nice script. We run a utility before any rebuild that removes any exisiting AD account and/or SMS record (if you use SMS).

We then run RIS and use a highly customised menu system to navigate through our complex schema to the end OU we want the system built in.

This is the most resilient way we have found to deal with the "existing account" issue.

Cheers,

Andy

[RogueSpear]

I just have all of my computers prestaged in their appropriate OUs and there's no problem rerunning RIS. The computer account in AD stays the same, the computer even stays in the same "group" for Symantec AntiVirus. I've never had to delete a computer object before. Granted, I'm only talking about a little over 100 workstations at my main site, not the thousands Fencer has to manage, but it seems like it should scale upwards fine.

[Fencer128]

Hi,

I like prestaging too - but we've found it too time consuming for the number of machines we're administrating, not to mention the problems associated with building, distributing and tracking so many prestaged machines when a new order arrives (100 machines or there abouts). As such, my boss has decided pre-staging is not the way to go for us and so we resort to the method above.

In an ideal world though, I think prestaging is the best way.

Cheers,

Andy

[mojoxp]

The only reason we don't prestage is that we move systems around a lot and this way with the simple HTA app we can RIS a machine and get it ready to go out in a very short time... and our base level student staff or even staff in their respective offices can RIS machines without needing our assistance. Our standard policy is to replace a desktop right away rather then mess with it trying to get spyware/other crap off there when they get hosed.

Edited April 19, 2006 by mojoxp