Moving and Renaming Computers with Active Directory

In this second part of a four-part series that focuses on how Active Directory treats computer objects, you will learn how to move a computer within the same domain, rename a computer, and more. This article is excerpted from chapter eight of the Active Directory Cookbook, Second Edition, written by Robbie Allen and Laura E. Hunter (O'Reilly; ISBN: 059610202X). Copyright © 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

Contributed by
Rating: 5 stars5 stars5 stars5 stars5 stars / 3
January 17, 2008
Rate this Article:
MEH MEH++


SEARCH ASP FREE
TOOLS YOU CAN USE

advertisement

Moving a Computer Within the Same Domain

Problem

You want to move a computer object to a different container or OU within the same domain.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in.
  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
  3. In the left pane, right-click on the domain and select Find.
  4. Beside Find, select Computers.
  5. Type the name of the computer and click Find Now.
  6. In the Search Results window, right-click on the computer and select Move.
  7. Browse to and select the new parent container or OU.
  8. Click OK.

With the Windows Server 2003 version of Active Directory Users and Computers, you can also use the new drag-and-drop functionality to move computers and other objects.

Using a command-line interface

You can move a computer object to a new container using the built-in DSMove utility or AdMod. To use DSMove, enter the following syntax:

  > dsmove "<ComputerDN>" -newparent "<NewParentDN>"

To move a computer object using AdMod, use the following:

  > admod –b "<ComputerDN>" –move "<NewParentDN>"

Using VBScript

  ' This code moves a computer to the specified container/OU.
  ' ------ SCRIPT CONFIGURATION ------
  strCompDN = "<ComputerDN>" ' e.g. cn=joe-xp,cn=Users,dc=rallencorp,dc=com
  strOUDN = "<NewParentDN>"  ' e.g. ou=workstations,dc=rallencorp,dc=com
  ' ------ END CONFIGURATION ---------

  set objComp = GetObject("LDAP://" & strCompDN)
  set objOU = GetObject("LDAP://" & strOUDN)
  objOU.MoveHere objComp.ADsPath, objComp.Name

Discussion

You can move computer objects around a domain without much impact on the computer itself. You just need to be cautious of the security settings on the new parent OU, which may impact a user’s ability to manage the computer object in Active Directory. Also, if GPOs are used differently on the new parent, it could impact booting and logon times, and how the computer’s operating system behaves after a user has logged on.

See Also

Recipe 4.20 for moving an object to a different OU, and Recipe 8.5 for moving a computer to a different domain

Moving a Computer to a New Domain

Problem

You want to move a computer object to a different domain. 

Solution

Using a graphical user interface

To migrate a computer object between domains in the same forest, use the following steps:

  1. Open the ADMT MMC snap-in.
  2. Right-click on the Active Directory Migration Tool folder and select the Computer Account Migration Wizard.
  3. On the Domain Selection page, enter the DNS or NetBIOS name of the source and target domains. Click Next.
  4. On the Translate Objects screen, specify which objects should have new ACLs applied in the new domain. Select any, none, or all of the following, and then click Next to continue:
    • Files and folders
    •  Local groups
    •  Printers
    •  Registry
    •  Shares
    •  User profiles
    •  User rights
  5. On the Security Migration Options screen, select the following options to determine how local user accounts will be migrated into the new domain. Select one of the following and click Next to continue:

    Replace
       This option will replace any references to
       objects from the source domain with
       references to objects in the target domain.

    Add
       This option adds references to objects in the
       target domain while leaving the source domain
       objects intact.

    Remove
       This option removes all references to source
       domain objects.
  6. On the Naming Conflicts page, configure how the wizard should handle naming conflicts during the migration process. Select one of the following and click Next to continue:

    • Ignore conflicting accounts and don’t migrate.
    • Replace conflicting accounts.
    • Rename conflicting accounts by adding a designated prefix or suffix.
  7. On the Options screen, select the amount of time the wizard should wait before rebooting the target computer into the new domain.
  8. Click Next to review your choices and begin the migration process.

Using a command-line interface

The following command will migrate a computer object from the rallencorp.com domain to the emea.rallencorp.com domain. It will place the migrated object in the Finance OU and will wait two minutes before rebooting the target computer:

  ADMT COMPUTER /N "FIN101-A" "FIN101-A" /SD:"emea.rallencorp.com" 
  /TD:"emea.rallencorp.com" /TO:"Finance" /RDL:2

Using VBScript

  set objObject = GetObject(LDAP://TargetDC/TargetParentDN)
  objObject.MoveHere "LDAP://SourceDC/SourceDN", vbNullString

Discussion

You can move objects between domains assuming you follow a few guidelines:

  1. The user requesting the move must have permission to modify objects in the parent container of both domains.
  2. You need to explicitly specify the target DC (serverless binds usually do not work). This is necessary because the Cross Domain Move LDAP control is being used behind the scenes. (For more information on controls, see Recipe 4.4.)
  3. The move operation must be performed against the RID master for both domains. This is done to ensure that two objects that are being moved simultaneously don’t somehow get assigned the same RID.
  4. Both domains must be in native mode.

See Also

Recipe 4.4 for more on LDAP controls, MSDN: IADsContainer::MoveHere, and MS KB 326480 (How to Use Active Directory Migration Tool version 2 to migrate from Windows 2000 to Windows Server 2003)

Renaming a Computer

Problem

You want to rename a computer.

Solution

Using a graphical user interface

  1. Log on to the computer either directly or with a remote console application such as Terminal Services.

  2. Open the Control Panel and double-click on the System applet.
  3. Select the Computer Name tab and click the Change button.
  4. Under Computer Name, type the new name of the computer and click OK until you are out of the System applet.
  5. Reboot the machine.

Using a command-line interface

You can rename a computer object by using the built-in netdom utility with the following syntax:

  > netdom renamecomputer <ComputerName>  /NewName <NewComputerName> /UserD
  <DomainUserUPN> /PasswordD * /UserO <ComputerAdminUser> /PasswordO * /Reboot

Using VBScript

  ' This code renames a computer in AD and on the host itself.
  ' ------ SCRIPT CONFIGURATION ------
  strComputer     = "<ComputerName>"    ' e.g. joe-xp
  strNewComputer  = "<NewComputerName>" ' e.g. joe-pc
  strDomainUser   = "<DomainUserUPN>"   ' e.g.
administrator@rallencorp.com
  strDomainPasswd = "<DomainUserPasswd>"
  strLocalUser = "<ComputerAdminUser>" 'e.g. joe-xp\administrator
 
strLocalPasswd  = "<ComputerAdminPasswd>"
  ' ------ END CONFIGURATION ---------

  '###########################
  ' Connect to Computer
  '###########################
  set objWMILocator = CreateObject("WbemScripting.SWbemLocator") 
 objWMILocator.Security_.AuthenticationLevel = 6
  set objWMIComputer = objWMILocator.ConnectServer(strComputer, _
                           "root\cimv2", _
                           strLocalUser, _
                            strLocalPasswd)
  set objWMIComputerSystem = objWMIComputer.Get( _
          "Win32_ComputerSystem.Name='" & _
          strComputer & "'")
  '###########################
  ' Rename Computer
  '###########################
  rc = objWMIComputerSystem.Rename(strNewComputer, _
                strDomainPasswd, _
                strDomainUser)
  if rc <> 0 then
      WScript.Echo "Rename failed with error: " & rc
  else
      WScript.Echo "Successfully renamed " & strComputer & " to " & _
                   strNewComputer
  end if

  WScript.Echo "Rebooting . . . "
  set objWSHShell = WScript.CreateObject("WScript.Shell")
  objWSHShell.Run "rundll32 shell32.dll,SHExitWindowsEx 2"

Discussion

Renaming a computer consists of two operations: renaming the computer object in Active Directory and renaming the hostname on the machine itself. To do it in one step, which each of the three solutions offers, you must have permission in Active Directory to rename the account and administrator permissions on the target machine. For the rename operation to be complete, you must reboot the computer.

In some cases, renaming a computer can adversely affect services running on the computer. For example, you cannot rename a machine that is a domain controller, Exchange Server, or a Windows Certificate Authority without taking additional steps and precautions.

Using a graphical user interface

After you rename the computer, you will be prompted to reboot the machine. You can cancel if necessary, but you’ll need to reboot at some point to complete the rename operation.

Using a command-line interface

The renamecomputer option in netdom is new to Windows Server 2003. It can run remotely and includes a /Reboot switch that allows you to automatically reboot the computer after the rename is complete.

Using VBScript

The Win32_ComputerSystem::Rename method must be run on the local machine unless the computer is a member of a domain. Unlike the GUI and CLI solutions, you cannot specify alternate credentials for the connection to the computer other than domain credentials. For this reason, the user and password you use with the Rename method must have administrative privileges on the target machine (i.e., part of the Administrators group) and on the computer object in Active Directory.

TheRenamemethod is new in Windows XP and Windows Server 2003, and is not available on Windows 2000 and earlier machines.

See Also

Recipe 4.23 for renaming objects, MS KB 228544 (Changing Computer Name in Windows 2000 Requires Restart), MS KB 238793 (Enhanced Security Joining or Resetting Machine Account in Windows 2000 Domain), MS KB 260575 (How to Use Netdom.exe to Reset Machine Account Passwords of a Windows 2000 Domain Controller), MS KB 325354 (How to Use the Netdom.exe Utility to Rename a Computer in Windows Server 2003), and MSDN: Win32_ComputerSystem::Rename

Add or Remove a Computer Account from a Group

Problem

You want to add or remove a computer account from an Active Directory security group.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in.
  2. If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select “Connect to Domain,” enter the domain name, and click OK.
  3. In the left pane, browse to the parent container of the objects you want to modify.
  4. In the right pane, highlight each object you want to modify, right-click, and select Properties.
  5. On the Member of tab, click Add.
  6. Click the group to which you want to add the computer, and then click Add. To add the computer to more than one group, press Ctrl while selecting the groups you want to add the computer to, and then click Add.
  7. To remove a group, select the group object and click Remove.
  8. Click OK to finish.

Using a command-line interface

To add a computer object to a group, use the following syntax:

  > admod –b "<GroupDN>" member:+:"<ComputerDN>"

To remove an object, replace:+:with:-:in the previous syntax.

Using VBScript

  ' This code adds and removes a computer object from a group.
  ' ------ SCRIPT CONFIGURATION ------
  strGroupDN = "<GroupDN>" ' e.g. cn=SalesGroup,ou=Groups,dc=rallencorp,dc=com
  strComputerDN = "<ComputerDN>" ' e.g. cn=Fin101,cn=Computers,dc=rallencorp,dc=com
  ' ------ END CONFIGURATION ---------

  set objGroup = GetObject("LDAP://" & strGroupDN)
  ' Add a member
  objGroup.Add("LDAP://" & strComputerDN)

  ' Remove a member
  objGroup.Remove("LDAP://" & strComputerDN)

Discussion

In Active Directory, both user and computer objects are security principals that can be assigned rights and permissions within a domain. As such, computer objects can be added to or removed fromgroupobjects to make for simpler resource administration. You can make this change through ADUC or ADSI Edit, or by manually editing thememberattribute of the appropriate group object.

See Also

MSDN: NT-Group-Members attribute [AD Schema] and MSDN: Member Attribute [AD Schema]

Please check back next week for the continuation of this article.

blog comments powered by Disqus
WINDOWS SCRIPTING ARTICLES

- More Windows Scripting Workarounds from Nilpo
- Overloading Methods and More in VBScript
- Improving MFC for Windows Vista
- Regular Expressions in VBScript
- Working with Dates in WMI
- Completing Calendars with VBScript Date Func...
- Building Calendars with VBScript Date Functi...
- Working With Dates and Times in VBScript
- Designing WCF DataContract Classes Using the...
- Understanding Dates and Times in VBScript
- Working With Arrays in VBScript
- Compressed Folders in WSH
- Using .NET Interops in VBScript
- Nilpo`s Scripting Secrets, Vol I
- Database operations using Silverlight 2.0 WC...

ASP Web Hosting ASP.Net Web Hosting Windows Web Hosting
 
 
 

ASP Free Forums 
 RSS  Tutorials RSS
 RSS  Forums RSS
 RSS  All Feeds
Site Map 
Request Media Kit
Write For Us Get Paid 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Privacy Policy 
Support 


© 2003-2012 by Developer Shed. All rights reserved. DS Cluster 2 - Follow our Sitemap
Most Popular Topics
All ASP.Net Tutorials