mojoxp Posted April 3, 2006 Share Posted April 3, 2006 Is there any setting in the SIF files, Group Policy on the RIS server, etc... that can force a computer that already has a Computer Account to either delete its old account and create a new one, or to move itself to a new OU during RIS?After we RIS our machines we want to put them in the DOMAIN\RISED OU, and from there we have an HTA application that comes up and asks the user a set of questions as to where to put the computer. A VBS script then runs and moves the computer to the proper OU. The problem is that if the computer that was just RISed doesn't end up in the RISED OU then it doesn't get the HTA application. I guess the alternative would be to have a run-once script that moves the computer after RIS to the RISED OU and then to GPUPDATE /FORCE /BOOT... but I was hoping for another way around it. Link to comment Share on other sites More sharing options...
cluberti Posted April 5, 2006 Share Posted April 5, 2006 You can choose which OU a machine is created in via the OSChooser screens if the domain is a 2003 domain. Otherwise, you have to do it post-RIS. Link to comment Share on other sites More sharing options...
mojoxp Posted April 7, 2006 Author Share Posted April 7, 2006 It is a 2003 Domain, but the problem is that RIS uses the computer's "old" computer account, so it doesn't create a new one and thusly uses the old account's OU. Link to comment Share on other sites More sharing options...
Judge_MC1 Posted April 13, 2006 Share Posted April 13, 2006 (edited) AFAIK there is no way to delete a computer account (without some nonstandard smarts) during or before RIS. RIS does allow you to choose the OU you wish RISed computer accounts to be created in. You can do it one of two ways.1. In AD Users and Computers, right click the RIS server and choose properties, then Remote Install tab. Click the advanced settings button and change the default location for computer accounts to be created in.2. When you boot a computer with RIS choose the Custom Setup and you will be able to change where the computer account is created.If the computer account already exists then it will be reused. Move the computer account to the correct OU before beginning the RIS build. Computer accounts should be reused. You can always prestage computer accounts in their correct OU's using GUID's or MAC address.Personally I wouldnt bother moving to a temporary RIS OU (if the computer was already in the correct OU why move it just for a RIS build), just means you then need to move the computer to another OU later. A cleaner way of performing this would be to run the domain setup VBS script from RunOnce or a login script as you mentioned previously. Edited April 13, 2006 by Judge_MC1 Link to comment Share on other sites More sharing options...
mojoxp Posted April 19, 2006 Author Share Posted April 19, 2006 Okay, incase it ever comes up again here's what i did... i've got a script set to run in the ristndrd.sif file with the lines:[GuiUnattended]OemSkipWelcome = 1AdminPassword="<REMOVED PASSWORD>"EncryptedAdminPassword=NOAutoLogon=YesAutoLogonCount=1[GuiRunOnce] Command0="C:\windows\system32\pris3\pris3.hta"The HTA file prompts the user for some input and then puts it in the correct OU. Here's the code for the OU moving. The login used to authenticate has the ability to create and delete computer accounts accross the domain. ' Declare all of our variables Dim objConnectionDim objCommandDim objRecordSetDim objOUDim strADsPathDim WshNetworkDim strCurrentDim objDSODim objDOUDim objMoveconst ADS_SECURE_AUTHENTICATION = &h1const ADS_SERVER_BIND = &h200' Make sure we keep on keeping onOn Error Resume Next' Set the scope so that it will go into all the OUsConst ADS_SCOPE_SUBTREE = 2' Connect up to Active DirectorySet objConnection = CreateObject("ADODB.Connection")Set objCommand = CreateObject("ADODB.Command")objConnection.Provider = "ADsDSOObject"objConnection.Open "Active Directory Provider"Set objCommand.ActiveConnection = objConnection' Get the computer's current name off the Network interfaceSet WshNetwork = WScript.CreateObject("WScript.Network")strCurrent = WSHNetwork.ComputerName' Limit the size of the page from ADS so that an bad query doesnt kill the domainobjCommand.Properties("Page Size") = 1000objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE ' Find the current computer in Active DirectoryobjCommand.CommandText = _ "SELECT ADsPath FROM 'LDAP://<DOMAIN>' WHERE objectCategory='computer' " & _ "AND name='" & strCurrent & "'"' Run the query aboveSet objRecordSet = objCommand.Execute' There should only be one entry here, but if there isnt we run it on all computer objects that matchobjRecordSet.MoveFirst' Get the full CN of the computer strADsPath = objRecordSet.Fields("ADsPath").Value' Set the destination we want it moved to Set objDSO = GetObject("LDAP:") Set objDOU = objDSO.OpenDSObject("LDAP://OU=<DESTINATION OU>, DC=<DOMAIN>", "<DOMAIN USER>" , "<DOMAIN USER PASSWORD>", ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND)'Execute the move Set objMove = objDOU.MoveHere (strADsPath, vbNullString) Link to comment Share on other sites More sharing options...
Fencer128 Posted April 19, 2006 Share Posted April 19, 2006 Hi,Nice script. We run a utility before any rebuild that removes any exisiting AD account and/or SMS record (if you use SMS).We then run RIS and use a highly customised menu system to navigate through our complex schema to the end OU we want the system built in.This is the most resilient way we have found to deal with the "existing account" issue.Cheers,Andy Link to comment Share on other sites More sharing options...
RogueSpear Posted April 19, 2006 Share Posted April 19, 2006 I just have all of my computers prestaged in their appropriate OUs and there's no problem rerunning RIS. The computer account in AD stays the same, the computer even stays in the same "group" for Symantec AntiVirus. I've never had to delete a computer object before. Granted, I'm only talking about a little over 100 workstations at my main site, not the thousands Fencer has to manage, but it seems like it should scale upwards fine. Link to comment Share on other sites More sharing options...
Fencer128 Posted April 19, 2006 Share Posted April 19, 2006 Hi,I like prestaging too - but we've found it too time consuming for the number of machines we're administrating, not to mention the problems associated with building, distributing and tracking so many prestaged machines when a new order arrives (100 machines or there abouts). As such, my boss has decided pre-staging is not the way to go for us and so we resort to the method above.In an ideal world though, I think prestaging is the best way.Cheers,Andy Link to comment Share on other sites More sharing options...
mojoxp Posted April 19, 2006 Author Share Posted April 19, 2006 (edited) The only reason we don't prestage is that we move systems around a lot and this way with the simple HTA app we can RIS a machine and get it ready to go out in a very short time... and our base level student staff or even staff in their respective offices can RIS machines without needing our assistance. Our standard policy is to replace a desktop right away rather then mess with it trying to get spyware/other crap off there when they get hosed. Edited April 19, 2006 by mojoxp Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now