Active Directory Cookbook for windows server 2003- P16 potx

If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK.. In the left pane, b

Trang 1

Recipe 5.6 Moving the Objects in an OU to a Different OU

5.6.1 Problem

You want to move some or all of the objects in an OU to a different OU You may need to do this as part of a domain restructuring effort

5.6.2 Solution

5.6.2.1 Using a graphical user interface

1 Open the Active Directory Users and Computers snap-in

2 If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK

3 In the left pane, browse to the OU that contains the objects you want to move and click

on it

4 Highlight the objects in the right pane you want to move, right-click on them, and select

"Move."

5 Browse to the parent container you want to move the objects to, click on it

6 Click OK

7 Press F5 to refresh the contents of the OU If objects still exist, repeat the previous three steps

5.6.2.2 Using a command-line interface

> for /F "usebackq delims=""" %i in (`dsquery * "<OldOrgUnitDN>" -scope

onelevel`)[RETURN]

do dsmove -newparent "<NewOrgUnitDN>" %i

5.6.2.3 Using VBScript

' This code moves objects from the "old" OU to the "new" OU

' - SCRIPT CONFIGURATION -

strOldOrgUnit = "<OldOrgUnitDN>" ' e.g ou=Eng Tools,dc=rallencorp,dc=com strNewOrgUnit = "<NewOrgUnitDN>" ' e.g ou=Tools,dc=rallencorp,dc=com

' - END CONFIGURATION -

set objOldOU = GetObject("LDAP://" & strOldOrgUnit)

set objNewOU = GetObject("LDAP://" & strNewOrgUnit)

for each objChildObject in objOldOU

Wscript.Echo "Moving " & objChildObject.Name

objNewOU.MoveHere objChildObject.ADsPath, objChildObject.Name

Trang 2

If you want to move more than 2,000 objects at one time, you will need to modify the default number of objects displayed as described in Discussion section of Recipe 5.3

Since dsmove can move only one object at a time, I had to use the for command to iterate over each child object returned from dsquery Also note that if you want to move more than 100 objects, you'll need to specify the -limit xx option with dsquery, where xx is the maximum number of objects to move (use 0 for all)

For more information on the MoveHere method, see Recipe 4.17

5.6.4 See Also

Recipe 4.17 for moving objects, Recipe 5.3 for enumerating objects in an OU, and MSDN: IADsContainer::MoveHere

Recipe 5.6 Moving the Objects in an OU to a Different OU

5.6.1 Problem

You want to move some or all of the objects in an OU to a different OU You may need to do this as part of a domain restructuring effort

5.6.2 Solution

3 In the left pane, browse to the OU that contains the objects you want to move and click

on it

4 Highlight the objects in the right pane you want to move, right-click on them, and select

"Move."

5 Browse to the parent container you want to move the objects to, click on it

6 Click OK

7 Press F5 to refresh the contents of the OU If objects still exist, repeat the previous three steps

Trang 3

> for /F "usebackq delims=""" %i in (`dsquery * "<OldOrgUnitDN>" -scope

onelevel`)[RETURN]

do dsmove -newparent "<NewOrgUnitDN>" %i

' This code moves objects from the "old" OU to the "new" OU

strOldOrgUnit = "<OldOrgUnitDN>" ' e.g ou=Eng Tools,dc=rallencorp,dc=com strNewOrgUnit = "<NewOrgUnitDN>" ' e.g ou=Tools,dc=rallencorp,dc=com

set objOldOU = GetObject("LDAP://" & strOldOrgUnit)

set objNewOU = GetObject("LDAP://" & strNewOrgUnit)

for each objChildObject in objOldOU

Wscript.Echo "Moving " & objChildObject.Name

objNewOU.MoveHere objChildObject.ADsPath, objChildObject.Name

Since dsmove can move only one object at a time, I had to use the for command to iterate over each child object returned from dsquery Also note that if you want to move more than 100 objects, you'll need to specify the -limit xx option with dsquery, where xx is the maximum number of objects to move (use 0 for all)

For more information on the MoveHere method, see Recipe 4.17

5.6.4 See Also

Recipe 4.17 for moving objects, Recipe 5.3 for enumerating objects in an OU, and MSDN: IADsContainer::MoveHere

Recipe 5.7 Moving an OU

5.7.1 Problem

You want to move an OU and all its child objects to a different location in the directory tree

Trang 4

5.7.2 Solution

3 In the left pane, browse to the OU you want to move

4 Right-click on the OU and select Move

5 Select the new parent container for the OU and click OK

> dsmove "<OrgUnitDN>" -newparent "<NewParentDN>"

set objOU = GetObject("LDAP://<NewParentDN>")

objOU.MoveHere "LDAP://<OrgUnitDN>", "<OrgUnitRDN>"

One of the benefits of Active Directory is the ability to structure and restructure data easily Moving an OU, even one that contains a complex hierarchy of other OUs and objects, can be done without impacting the child objects

If any applications have a dependency on the location of specific objects, you need to ensure they are either updated with the new location or preferably, reference the objects by GUID, not

by distinguished name

You should also be mindful of the impact of inherited ACLs and applied group policy on the new parent OU

5.7.4 See Also

MS KB 313066 (HOW TO: Move Users, Groups, and Organizational Units Within a Domain in Windows 2000) and MSDN: IADsContainer::MoveHere

Recipe 5.8 Determining How Many Child Objects an

OU Has

This recipe requires the Windows Server 2003 domain functional level

Trang 5

5.8.1 Problem

You want to determine if an OU has any child objects or determine how many child objects it contains

5.8.2 Solution

1 Open LDP

2 From the Menu, select Browse Search

3 For Base Dn, enter <OrgUnitDN>

4 For Filter, enter (objectclass=*)

5 For Scope, select Base

6 Click the Options button and enter msDS-Approx-Immed-Subordinates For Attributes

7 Click OK and Run

8 The results will be displayed in the right pane

> dsquery * "<OrgUnitDN>" -scope base -attr msDS-Approx-Immed-Subordinates

' This code displays the approximate number of child objects for an OU

set objOU = GetObject("LDAP://<OrgUnitDN>")

objOU.GetInfoEx Array("msDS-Approx-Immed-Subordinates"), 0

WScript.Echo "Number of child objects: " & _

objOU.Get("msDS-Approx-Immed-Subordinates")

The msDS-Approx-Immed-Subordinates attribute is new to Windows Server 2003 It contains the approximate number of direct child objects in a container or organizational unit Note that this is an approximation and can be off by 10% of the actual total for large containers The main reason for adding this attribute was to give applications an idea of how many objects a container has so that it can display them accordingly

msDS-Approx-Immed-Subordinates is a constructed attribute, that is, the value is not actually stored in Active Directory like other attributes Active Directory computes the value when an application asks for it In the VBScript solution, the GetInfoEx method had to be called because some constructed attributes, such as this one, are not retrieved when GetInfo or Get is called You can accomplish similar functionality with Windows 2000 Active Directory, but you need to perform a onelevel search against the OU and count the number of objects returned This method

is by no means as efficient as using msDS-Approx-Immed-Subordinates in Windows Server

2003

Trang 6

5.8.4 See Also

MSDN: GetInfoEx

Recipe 5.9 Delegating Control of an OU

5.9.1 Problem

You want to delegate administrative access of an OU to allow a group of users to manage objects

in the OU

5.9.2 Solution

3 In the left pane, browse to the target OU, right-click on it, and select Delegate Control

4 Select the users and/or groups to delegate control to by using the Add button and click Next

5 Select the type of privilege to grant the users/groups and click Next

6 Click Finish

ACLs can be set via a command-line with the dsacls utility from the Support Tools See Recipe 14.10 for more information

Although you can delegate control of an OU to a particular user, it is generally a better practice

to use a group instead Even if there is only one user to delegate control to, you should create a group, add that user as a member, and use that group in the ACL That way, in the future when you have to replace that user with someone else, you can make sure the new person is in the correct group instead of modifying ACLs again

5.9.4 See Also

Recipe 14.10 for changing the ACL on an object

Trang 7

Recipe 5.10 Allowing OUs to Be Created Within

Containers

5.10.1 Problem

You want to create an OU within a container By default, you cannot create OUs within

container objects due to restrictions in the Active Directory schema

5.10.2 Solution

1 Open the Active Directory Schema snap-in as a user that is a member of the Schema Admins group See Recipe 10.1 for more on using the Schema snap-in

2 Expand the Classes folder, right-click on the organizationalUnit class, and select Properties

3 Select the Relationship tab and, next to Possible Superior, click Add Superior (Windows Server 2003) or Add (Windows 2000)

4 Select container and click OK

5 Click OK

Create an LDIF file called ou_in_container.ldf with the following contents:

dn: cn=organizational-unit,cn=schema,cn=configuration,<ForestRootDN>

changetype: modify

add: possSuperiors

possSuperiors: container

-

then run the ldifde command to import the change:

> ldifde -i -f ou_in_container.ldf

' This code modifies the schema so that OUs can be created within containers Const ADS_PROPERTY_APPEND = 3

set objRootDSE = GetObject("LDAP://RootDSE")

set objOUClass = GetObject("LDAP://cn=organizational-unit," & _

objRootDSE.Get("schemaNamingContext") )

objOUClass.PutEx ADS_PROPERTY_APPEND, "possSuperiors", Array("container") objOUClass.SetInfo

Trang 8

Allowing OUs to be created within containers requires a simple modification to the schema You have to make the container class one of the possible superiors (possSuperiors attribute) for the organizationalUnit class

5.10.4 See Also

Recipe 10.1 for using the Schema snap-in and MS KB 224377 (Configuring Different Containers

to Hold Organizational Units)

Recipe 5.11 Linking a GPO to an OU

5.11.1 Problem

You want to apply the settings in a GPO to the users and/or computers within an OU, also known

as linking the GPO to the OU

5.11.2 Solution

1 Open the Group Policy Management (GPMC) snap-in

2 Expand Forest in the left pane

3 Expand Domain and navigate down to the OU in the domain you want to link the GPO to

4 Right-click on the OU and select either Create and Link a GPO Here (if the GPO does not already exist) or Link an Existing GPO (if you have already created the GPO)

' This code links a GPO to an OU in the specified domain

strDomainDN = "<DomainDN>" ' e.g dc=rallencorp,dc=com

strGPO = "<GPOName>" ' e.g WorkstationsGPO

strOUDN = "<OrgUnitDN>" ' e.g ou=Workstations,dc=rallencorp,dc=com

strBaseDN = "<LDAP://cn=policies,cn=system,dc=" & strDomainDN & ">;"

strFilter = "(&(objectcategory=grouppolicycontainer)" & _

"(objectclass=grouppolicycontainer)" & _

"(displayname=" & strGPO & "));"

strAttrs = "ADsPath;"

strScope = "OneLevel"

set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBaseDN & strFilter & strAttrs & strScope)

if objRS.EOF <> TRUE then

Trang 9

end if

if objRS.RecordCount = 1 then

strGPOADsPath = objRS.Fields(0).Value

WScript.Echo "GPO Found: " & strGPOADsPath

elseif objRS.RecordCount = 0 then

WScript.Echo "Did not founding matching GPO for: " & strGPO

Wscript.Quit

elseif objRS.RecordCount > 1 then

WScript.Echo "More than 1 GPO found matching: " & strGPO

Wscript.Quit

end if

set objOU = GetObject("LDAP://" & strOUDN)

on error resume next

strGPLink = objOU.Get("gpLink")

if Err.Number then

if Err.Number <> -2147463155 then

WScript.Echo "Fatal error while retrieving gpLink attribute: " & _ Err.Description

Wscript.Quit

end if

on error goto 0

objOU.Put "gpLink", strGPLink & "[" & strGPOADsPath & ";0]"

objOU.SetInfo

WScript.Echo "GPO successfully linked"

The GPOs that are linked to an OU are stored in the gpLink attribute of the OU The format of the gpLink attribute is kind of strange, so you have to be careful when programmatically or manually setting that attribute Since multiple GPOs can be linked to an OU, the gpLink attribute has to store multiple values; unfortunately, it does not store them as you might expect in a

multivalued attribute Instead, the links are stored as part of the single-valued gpLink attribute The ADsPath of each linked GPO is concatenated into a string, with each enclosed in square brackets The ADsPath for each GPO is followed by ;0 to signify the link is enabled or ;1 to signify the link is disabled Here is an example gpLink with two GPOs linked:

[LDAP://cn={6491389E-C302-418C-8D9D-

BB24E65E7507},cn=policies,cn=system,DC=rallencorp,DC=com;0][LDAP://cn={6AC178 6C-016F-

11D2-945F-00C04fB984F9},cn=policies,cn=system,DC=rallencorp,DC=com;0]

A much better VBScript solution for linking GPOs is described in Recipe 9.12, which uses the GPMC APIs

Trang 10

5.11.4 See Also

Introduction in Chapter 9 for more information on GPMC, and MS KB 248392 (Scripting the Addition of Group Policy Links)

Định dạng
Số trang	10
Dung lượng	32,51 KB