Tuesday, October 19, 2010

6-1/2 Ways to Automate Computer/OU Assignments

One thing a consultant quickly comes to realize is that there is no “one-size-fits-all” solution to most things.  Having stepped in and out of many full-time and contract environments, I’ve seen a variety of situations which add new challenges to automating things. I try to boil down recipe lists for various scenarios to help adjust my sights more quickly.  In this episode we cover a few ways to approach the task of automating the relocation of Active Directory computer accounts into designated Organizational Units (OU’s) based on various aspects of the computer or user or subnet, etc.

Method 1: Parse Computer Name

  • Run a script (scheduled task) against AD to read computer names, parse names for standard string codes that denote function or location and use that to move the account object to the appropriate OU
  • (easiest method)

Method 2a:  Remote WMI Query

  • Run a script (scheduled task) against AD to read computer names, connect to the remote WMI (CIM) instance on each computer, read a desired property, use that to move the account object to the appropriate OU
  • (works best with desktops and servers. Not so well with transient laptops, mobile devices)

Method 2b:  WMI Query (Local)

  • Use login script to run local WMI query, save data to file, upload file to network share
  • Run a script (scheduled task) against network share to read files and move accounts to appropriate OUs
  • (works best with transient laptops, when AD names can’t be parsed)

Method 3:  User-Based with Description Tag

  • Assign AD description tags by username or user employee number, etc.
  • Run script against AD to read descriptions and move account object to appropriate OU
  • (works best when AD names can’t be parsed, users are assigned to computers, but are not collocated in one area)

Method 4a: User-Based without Description Tag

  • Use login script to capture computer name and user ID at logon, save to file, upload file to network share
  • Run a script (scheduled task) against network share to read files and move account to appropriate OU
  • (works best with intermittent availability: laptops, as well as when computers aren’t collocated with same users, can’t use AD names or subnets)

Method 4b: Subnet Based

  • Use login or startup script to capture IP address, parse IP for subnet and send data via file to network share (computername, IP and subnet)
  • Run a script (scheduled task) against network share to read files and move account to appropriate OU
  • (works when AD names can’t be parsed and users change but machines don’t move around.  Much easier if using a flat subnet model (e.g. “class C”))

Method 5:  Sentinel Based

  • Seed computers with arbitrary registry keys or files
  • Run a script (scheduled task) against computers to read registry or files, move account to appropriate OU
  • (works best when all other options can’t be used)

I’m sure if you consume enough caffeine and listen to crazy music, you can come up with additional methods and combinations as well.

No comments: