January 21st, 2005

How Can I Find and Move an Active Directory Computer Account?

Hey, Scripting Guy! Question

Hey, Scripting Guy! I need to move a computer account from one OU to another; however, I don’t know which OU the computer account is currently in. Any advice?

— AA

SpacerHey, Scripting Guy! AnswerScript Center

Hey, AA. You know, one thing that marks all the great advice columns – Dear Abby; Ann Landers; Hey, Scripting Guy! – is the fact that, over time, these columns tend to give the same advice over and over. No matter how many times someone writes to Dear Abby complaining about problems with a neighbor, you know she’s never going to suggest that you burn down the guy’s house. The same is true with Ann Landers, and the same is true with Hey, Scripting Guy!

Well, OK: the same is true with Ann Landers.

The point is, we often give the same advice in response to a reader’s question, and today is no exception. So here goes: this is really a two-part problem, so let’s analyze the two parts separately. Oh, and this: one of the parts involves searching Active Directory. Yes, we know: how many times have you heard that? But it seems to be what works.

As you probably figured out, if one of the parts involves searching Active Directory, the other part must involve moving a computer account from one OU to another. Because this is so easy, let’s go ahead and address it first. Here’s a sample script that moves the computer atl-ws-01 from the Finance OU to the Research OU:

Set objOU = GetObject(“LDAP://OU=Research,DC=fabrikam,DC=com”)
intReturn = objOU.MoveHere _
    (“LDAP://CN=atl-ws-01,OU=Finance,DC=fabrikam,DC=com”, vbNullString)

That’s right: just two lines of code. We bind to the new OU (the one we want to move the computer to). After binding to the OU, we call the MoveHere method, passing it two parameters: the ADsPath of the computer we want to move; and vbNullString, a VBScript constant equal to Null. Passing a Null as the second parameter tells the MoveHere method that we want the object to keep its current CN (atl-ws-01). Had we passed a different CN, not only would the computer have been moved, but it would have been renamed as well.

By the way, you don’t actually have to include the Null parameter; if there’s no second parameter MoveHere will assume the second parameter is Null. We show it here just so you know that MoveHere accepts two parameters.

Special bonus script: Suppose you do want to rename an Active Directory account. Well, then bind to the OU where the account currently lives, call the MoveHere method, and give the account a different CN. For example, this script renames the computer atl-ws-01, giving it the new name finance-ws-01:

Set objOU = GetObject(“LDAP://OU=Finance,DC=fabrikam,DC=com”)
intReturn = objOU.MoveHere _
    (“LDAP://CN=atl-ws-01,OU=Finance,DC=fabrikam,DC=com”, “cn=finance-ws-01”)

You’re right: we should charge extra for these bonus scripts, shouldn’t we?

Now that we know how to move a computer account all we have to do is figure out how to find that computer account. Here’s where we’ll use our Active Directory search script. This script searches Active Directory for the computer named atl-ws-01:

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject(“ADODB.Connection”) Set objCommand = CreateObject(“ADODB.Command”) objConnection.Provider = “ADsDSOObject” objConnection.Open “Active Directory Provider” Set objCommand.ActiveConnection = objConnection

objCommand.Properties(“Page Size”) = 1000 objCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE

objCommand.CommandText = _ “SELECT ADsPath FROM ‘LDAP://dc=fabrikam,dc=com’ WHERE objectCategory=’computer’ ” & _ “AND name=’atl-ws-01′” Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst Do Until objRecordSet.EOF Wscript.Echo objRecordSet.Fields(“ADsPath”).Value objRecordSet.MoveNext Loop

The preceding script merely echoes the ADsPath of the computer. That’s nice, but as long as we have the AdsPath we can go ahead and move the computer account to a different OU. (Remember, unless we’re renaming the computer, AdsPath is the only parameter we need to pass to the MoveHere method.) So here’s a revised script that tracks down the computer atl-ws-01 and then moves it from the Finance OU to the Research OU:

On Error Resume Next

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject(“ADODB.Connection”) Set objCommand = CreateObject(“ADODB.Command”) objConnection.Provider = “ADsDSOObject” objConnection.Open “Active Directory Provider” Set objCommand.ActiveConnection = objConnection

objCommand.Properties(“Page Size”) = 1000 objCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE

objCommand.CommandText = _ “SELECT ADsPath FROM ‘LDAP://dc=fabrikam,dc=com’ WHERE objectCategory=’computer’ ” & _ “AND name=’atl-ws-01′” Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst Do Until objRecordSet.EOF strADsPath = objRecordSet.Fields(“ADsPath”).Value Set objOU = GetObject(“LDAP://OU=Research,DC=fabrikam,DC=com”) intReturn = objOU.MoveHere(strADsPath, vbNullString) objRecordSet.MoveNext Loop

Just that easy, just that quick.

Incidentally, we know we didn’t explain how the Active Directory searching part works; for more information about using scripts to search Active Directory, check out this Scripting Guys webcast.

Tomorrow: Burning down the neighbor’s house.

No, wait, don’t burn down anyone’s house: we’re just kidding about that. Maybe we’ll just stick to scripting advice from now on ….

Author

0 comments

Discussion are closed.