You want to move a computer object to a different container or OU within the same domain.
Solution
Using a graphical user interface
Open the ADUC snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Beside Find, select Computers.
Type the name of the computer and click Find Now.
In the Search Results window, right-click on the computer and select Move.
Browse to and select the new parent container or OU.
Click OK.
With the Windows Server 2003 version of Active Directory Users and Computers, you can also use the new drag-and-drop functionality to move computers and other objects.
Using a command-line interface
You can move a computer object to a new container using the built-in DSMove utility or AdMod. To use DSMove, enter the following syntax:
To move a computer object using AdMod, use the following:
> admod –b "<ComputerDN>" –move "<NewParentDN>"
Using VBScript
' This code moves a computer to the specified container/OU. ' ------ SCRIPT CONFIGURATION ------ strCompDN = "<ComputerDN>" ' e.g. cn=joe-xp,cn=Users,dc=rallencorp,dc=com strOUDN = "<NewParentDN>" ' e.g. ou=workstations,dc=rallencorp,dc=com ' ------ END CONFIGURATION ---------
set objComp = GetObject("LDAP://" & strCompDN) set objOU = GetObject("LDAP://" & strOUDN) objOU.MoveHere objComp.ADsPath, objComp.Name
Discussion
You can move computer objects around a domain without much impact on the computer itself. You just need to be cautious of the security settings on the new parent OU, which may impact a user’s ability to manage the computer object in Active Directory. Also, if GPOs are used differently on the new parent, it could impact booting and logon times, and how the computer’s operating system behaves after a user has logged on.
See Also
Recipe 4.20 for moving an object to a different OU, and Recipe 8.5 for moving a computer to a different domain
You want to move a computer object to a different domain.
Solution
Using a graphical user interface
To migrate a computer object between domains in the same forest, use the following steps:
Open the ADMT MMC snap-in.
Right-click on the Active Directory Migration Tool folder and select the Computer Account Migration Wizard.
On the Domain Selection page, enter the DNS or NetBIOS name of the source and target domains. Click Next.
On the Translate Objects screen, specify which objects should have new ACLs applied in the new domain. Select any, none, or all of the following, and then click Next to continue:
Files and folders
Local groups
Printers
Registry
Shares
User profiles
User rights
On the Security Migration Options screen, select the following options to determine how local user accounts will be migrated into the new domain. Select one of the following and click Next to continue:
Replace This option will replace any references to objects from the source domain with references to objects in the target domain.
Add This option adds references to objects in the target domain while leaving the source domain objects intact.
Remove This option removes all references to source domain objects.
On the Naming Conflicts page, configure how the wizard should handle naming conflicts during the migration process. Select one of the following and click Next to continue:
Ignore conflicting accounts and don’t migrate.
Replace conflicting accounts.
Rename conflicting accounts by adding a designated prefix or suffix.
On the Options screen, select the amount of time the wizard should wait before rebooting the target computer into the new domain.
Click Next to review your choices and begin the migration process.
Using a command-line interface
The following command will migrate a computer object from the rallencorp.com domain to the emea.rallencorp.com domain. It will place the migrated object in the Finance OU and will wait two minutes before rebooting the target computer:
You can move objects between domains assuming you follow a few guidelines:
The user requesting the move must have permission to modify objects in the parent container of both domains.
You need to explicitly specify the target DC (serverless binds usually do not work). This is necessary because the Cross Domain Move LDAP control is being used behind the scenes. (For more information on controls, see Recipe 4.4.)
The move operation must be performed against the RID master for both domains. This is done to ensure that two objects that are being moved simultaneously don’t somehow get assigned the same RID.
Both domains must be in native mode.
See Also
Recipe 4.4 for more on LDAP controls, MSDN: IADsContainer::MoveHere, and MS KB 326480 (How to Use Active Directory Migration Tool version 2 to migrate from Windows 2000 to Windows Server 2003)
' This code renames a computer in AD and on the host itself. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ComputerName>" ' e.g. joe-xp strNewComputer = "<NewComputerName>" ' e.g. joe-pc strDomainUser = "<DomainUserUPN>" ' e.g. administrator@rallencorp.com strDomainPasswd = "<DomainUserPasswd>" strLocalUser = "<ComputerAdminUser>" 'e.g. joe-xp\administrator strLocalPasswd = "<ComputerAdminPasswd>" ' ------ END CONFIGURATION ---------
'########################### ' Connect to Computer '########################### set objWMILocator = CreateObject("WbemScripting.SWbemLocator") objWMILocator.Security_.AuthenticationLevel = 6 set objWMIComputer = objWMILocator.ConnectServer(strComputer, _ "root\cimv2", _ strLocalUser, _ strLocalPasswd) set objWMIComputerSystem = objWMIComputer.Get( _ "Win32_ComputerSystem.Name='" & _ strComputer & "'") '########################### ' Rename Computer '########################### rc = objWMIComputerSystem.Rename(strNewComputer, _ strDomainPasswd, _ strDomainUser) if rc <> 0 then WScript.Echo "Rename failed with error: " & rc else WScript.Echo "Successfully renamed " & strComputer & " to " & _ strNewComputer end if
Renaming a computer consists of two operations: renaming the computer object in Active Directory and renaming the hostname on the machine itself. To do it in one step, which each of the three solutions offers, you must have permission in Active Directory to rename the account and administrator permissions on the target machine. For the rename operation to be complete, you must reboot the computer.
In some cases, renaming a computer can adversely affect services running on the computer. For example, you cannot rename a machine that is a domain controller, Exchange Server, or a Windows Certificate Authority without taking additional steps and precautions.
Using a graphical user interface
After you rename the computer, you will be prompted to reboot the machine. You can cancel if necessary, but you’ll need to reboot at some point to complete the rename operation.
Using a command-line interface
The renamecomputer option in netdom is new to Windows Server 2003. It can run remotely and includes a /Reboot switch that allows you to automatically reboot the computer after the rename is complete.
Using VBScript
The Win32_ComputerSystem::Rename method must be run on the local machine unless the computer is a member of a domain. Unlike the GUI and CLI solutions, you cannot specify alternate credentials for the connection to the computer other than domain credentials. For this reason, the user and password you use with the Rename method must have administrative privileges on the target machine (i.e., part of the Administrators group) and on the computer object in Active Directory.
TheRenamemethod is new in Windows XP and Windows Server 2003, and is not available on Windows 2000 and earlier machines.
See Also
Recipe 4.23 for renaming objects, MS KB 228544 (Changing Computer Name in Windows 2000 Requires Restart), MS KB 238793 (Enhanced Security Joining or Resetting Machine Account in Windows 2000 Domain), MS KB 260575 (How to Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000 Domain Controller), MS KB 325354 (How to Use the Netdom.exe Utility to Rename a Computer in Windows Server 2003), and MSDN: Win32_ComputerSystem::Rename
You want to add or remove a computer account from an Active Directory security group.
Solution
Using a graphical user interface
Open the ADUC snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
In the left pane, browse to the parent container of the objects you want to modify.
In the right pane, highlight each object you want to modify, right-click, and select Properties.
On the Member of tab, click Add.
Click the group to which you want to add the computer, and then click Add. To add the computer to more than one group, press Ctrl while selecting the groups you want to add the computer to, and then click Add.
To remove a group, select the group object and click Remove.
Click OK to finish.
Using a command-line interface
To add a computer object to a group, use the following syntax:
> admod –b "<GroupDN>" member:+:"<ComputerDN>"
To remove an object, replace:+:with:-:in the previous syntax.
Using VBScript
' This code adds and removes a computer object from a group. ' ------ SCRIPT CONFIGURATION ------ strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com strComputerDN = "<ComputerDN>" ' e.g. cn=Fin101,cn=Computers,dc=rallencorp,dc=com ' ------ END CONFIGURATION ---------
set objGroup = GetObject("LDAP://" & strGroupDN) ' Add a member objGroup.Add("LDAP://" & strComputerDN)
' Remove a member objGroup.Remove("LDAP://" & strComputerDN)
Discussion
In Active Directory, both user and computer objects are security principals that can be assigned rights and permissions within a domain. As such, computer objects can be added to or removed fromgroupobjects to make for simpler resource administration. You can make this change through ADUC or ADSI Edit, or by manually editing thememberattribute of the appropriate group object.
See Also
MSDN: NT-Group-Members attribute [AD Schema] and MSDN: Member Attribute [AD Schema]
Please check back next week for the continuation of this article.
Windows Scripting 
Active Directory and Computers
