Domain Computers are organized in an Organizational Unit (OU) structure based upon the company’s Active Directory delegation model. Generally speaking, the new domain computers first join a common OU ( referred to as Staging Organizational Unit ) and then moved to an OU representing the geographical location of the computer or relative to the location of primary user’s domain user object in Active Directory. The destination OU varies depending upon the OU structure implemented by the company. Administrators may build additional OUs to organize computer objects by chassis type, eg. Desktops, Laptops and Virtual Machines.
For the purpose of this article, consider this OU structure in the domain F10.LOCAL.
++ US San Francisco
++++ Virtual Machines
++ WW Staging Area
The task of associating a new domain computer with the domain user object is performed manually by the computer technician. In a large organization, this can become an administrative overhead.
The Computer Object Location feature of Synergix AD Client Extensions software complements the domain join aspect of the OS provisioning process and moves the computer object whenever the associated user object is moved.. If the user accounts is in OU=Accounts,OU=Users,OU=US San Francisco,DC=F10,DC=LOCAL, the domain computer object is moved from the staging areaOU=Computers,OU=WW Staging Area,DC=10,DC=LOCAL to OU=Desktops,OU=Computers,OU=US San Francisco,DC=F10,DC=LOCAL.
This article provides instructions on testing the SYNERGIX AD Client Extensions software. The Computer Object Location feature is configured using the Administrative Template. After Installing the Administrative Template file, the policy setting can be found under COMPUTER CONFIGURATION \ Administrative Templates \ SYNERGIX AD Client Extensions \ Account Attributes \ Computer Account Attributes \ Computer Object Location. The Explain tab of the Group Policy setting provides online instructions on configuring the feature.
- Microsoft Windows 7.0 or
- Microsoft Windows 8.1 or
- Microsoft Windows 10 or
- Microsoft Windows Server 2008 & R2 or
- Microsoft Windows Server 2012 & R2 or
- Microsoft Windows Server 2016
- .NET Framework 4.0
Active Directory Domain Environment
- Single Active Directory Domain environment i.e. Single Forest with Forest Root Domain only example. SYNERGIX.WIN
- You can setup a more complex Active Directory Domain environment, if needed. For example, one forest SYNERGIX.WIN with child domains US.SYNERGIX.WIN, and GB.SYNERGIX.WIN and a trusted forest SYNERGIXLABS.WIN with child domains US.SYNERGIXLABS.WIN, GB.SYNERGIXLABS.WIN
- Security Group(s)
- Create a security group called “SYNERGIX ADCE Managed Computers“. The group type may be Domain Global Group or Domain Local Group.
- Add the test domain computer(s) into the security group “SYNERGIX ADCE Managed Computers“
- Delegate Control
You must grant the security principal DOMAIN COMPUTERS or the security group SYNERGIX ADCE Managed Computers with permissions to
- In the source OU, Delete Computer Objects in This Object and all descendant objects
- In the source OU, Write All Properties on Descendant Computer Objects
- In the destination OU, Create Computer Objects.
For further details on this requirement, please refer to http://support.microsoft.com/kb/818091
If you desire the computer objects to move from any custom OU to any other custom OU in the same domain, it is recommended that you grant Delete Computer Objects, Create Computer Objects and Write All Properties on all custom OUs in your domain. You must exclude default OUs such as Domain Controllers, BuiltIn, Users, etc.
Note: Depending upon the delegation model in your Active Directory domain, it is more than likely that you may need to grant the security principal DOMAIN COMPUTERS with the DELETE permission onDescendant Computer Objects also.
- Configure domain Group Policy Object
- On your admin workstation (must be Windows 7.0 or better) , copy SYNERGIX AD Client Extensions Administrative Template file SYNERGIX-ADCE.ADMX to %SystemRoot%\PolicyDefinitions
- On the same admin workstation, copy SYNERGIX AD Client Extensions Administrative Template Language file SYNERGIX-ADCE.ADML to %SystemRoot%\PolicyDefinitions\en-US
- Using GPMC.MSC, edit existing or new Group Policy Object
- In Group Policy Editor, expand COMPUTER CONFIGURATION
- Expand Administrative Templates
- Expand SYNERGIX AD Client Extensions
- Expand Account Attributes
- Expand Computer Account Attributes
- Select Computer Object Location
- Click on the Enable radio button to enable the policy setting
- Set run interval (in minutes), Default is 1440 min.
- For each one of the chassis types fields provided, specify the path where the computer object should be moved.
- You can make use of the macro ../<%usrPath%> to reference the distinguishedName of the OU where the user account is located.
Consider user John Smith has a domain account jsmith in OU=Accounts,OU=Users,OU=US San Francisco,DC=F10,DC=LOCAL
Consider the domain computer that John Smith is using is located in a completely different OU. Assume it is in OU=Computers,OU=WW Staging,DC=F10,DC=LOCAL
Assume that the computer chassis type is a physical DESKTOP (reported by WMI call)
To have the DESKTOP computer object automatically move from OU=Computers,OU=WW Staging,DC=10,DC=LOCAL to OU=Desktops,OU=Computers,OU=US San Francisco,DC=F10,DC=LOCAL, in the GPO setting, specify the entry as
OU=Desktops,OU=Computers,../../<%usrPATH%> (note the use of ../../ as it is applicable in the OU structure shown above)
- Click OK to save the Group Policy settings.
- Log into a domain computer with the domain account (your admin account) that has local administrative privileges on the workstation
- Ensure the SYNERGIX AD Client Extensions specific Group Policy settings were applied
- Launch RSOP.MSC or run GPRESULT.EXE /v to confirm
- Install SYNERGIX AD Client Extensions software
- Open the registry editor
- Navigate to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Synergix\ADCE\Account Attributes\Computer Account Attributes\Computer Object Location You will find lastUpdate entry is generated, which confirms that the configured feature was run by AD Client Extensions software.
- If you need to have the feature run before the default time interval of 1,440 minutes, you can delete the lastUpdate entry and wait for about 1 minute for it to re-run. The lastUpdate registry entry will get created.
- Launch Active Directory Users and Computers management console (dsa.msc)
- Navigate to OU you have targetted in the GPO setting
- Confirm the domain computer object was moved to proper OU.
- If the domain computer object is not found immediately, wait for the replication cycle to complete
Test Results Submission
- Output of GPRESULTS.EXE /V command
Note: You must use ADCE \ Help \ Submit Log Files button to zip up above 3 files and submit