DESCRIPTION
Normally, in order to join a computer to the domain, you have to logon to the target computer and specify the target domain on the Computer Name tab of the System Control Panel ([1]). If a computer account was pre-created in an appropriate OU, this account will be used. If a computer account could not be found in the target domain, it will be created in the Computers container.
For computer accounts in appropriate OUs, using Active Roles Server it is possible to skip the pre-creation phase and use a script policy like the one provided below to automatically move newly joined computers to appropriate OUs.
Using the DirSync control, the Active Roles Administration Service receives all changes made in Active Roles. As part of this process, the Administration Service receives a notification concerning the creation of new computer accounts in the Computers container. Once such a change is detected, the script policy provided below moves the computer account to target OU.
The Policy Object containing this script policy should be linked to the relevant container. The Handle changes from DirSync control option should be set on the Script Module tab of the script policy entry property sheet
NOTES: The Active Roles Administration Service receives changes from one specific Domain Controller, typically the Domain Controller from the site where the Service is running. When joining a computer account to a domain, the computer account is created on the Domain Controller closest to the computer, typically a Domain Controller from the computer's site. Consequently, for the Active Roles Administration Service to detect computer account creation, this change should be replicated from one DC to another. This might take minutes or hours, depending on your replication topology and schedule.
Note This code may use functions from the Active Roles Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.
'*********************************************************************************
'
' Script name: Move Computer Account After Joining to Domain
' Script version: 1.0.0
'
' Requirements:
' - Policy Object is applied to the Computers container in target domain
' - The "Handle changes from DirSync control" option is set on the Script
' Module tab of the script policy entry property sheet
'
' This policy script detects new computer was joined to domain and moves the
' computer account from Computers container to an OU.
' -----------------------------------------------------------------------------
Option Explicit
' This constant defines the target OU name where to move new accounts
Const c_strNewContainerPath = "OU=MyOU,DC=domain,DC=com"
Sub onPostCreate(Request)
'--- Optimization: process only computer account modifications ---
If (LCase(Request.Class) <> "computer") Then Exit Sub
'--- Optimization: process only modifications, received from DC by DirSync ---
If (Request.Parameter("RequestSource") <> EDST_MOD_SOURCE_AD) Then Exit Sub
Dim objNewContainer, objAd
'--- Bind to target container ---
Set objNewContainer = GetObject("EDMS://" & c_strNewContainerPath)
'--- Move computer account to target container ---
Set objAd = objNewContainer.MoveHere(Request.ADsPath, vbNullString)
'--- Apply changes ---
objAd.SetInfo
End Sub
'***** END OF CODE ***************************************************************