Creating user objects in different OU

P

Petar

I'm using pGina software to authenticate students in lab using Radius. Upon
successful authentication pGina creates an user account in Win2003 AD, user
object has description 'Radius User' and is created in 'Users' OU. I would
like to automatically create such users in 'Students/Lab' OU so I can apply
some specific GPOs to that users.

My question is: can I somehow automatically create user objects with
'Radius Users' description in the different OU, or move them there upon
creation?

I can automatically make those users member of a group, but I can't apply
GPOs to the group members, or can I?
 
R

Richard Mueller

Petar wrote;
I'm using pGina software to authenticate students in lab using Radius.
Upon
successful authentication pGina creates an user account in Win2003 AD,
user
object has description 'Radius User' and is created in 'Users' OU. I would
like to automatically create such users in 'Students/Lab' OU so I can
apply
some specific GPOs to that users.

My question is: can I somehow automatically create user objects with
'Radius Users' description in the different OU, or move them there upon
creation?

I can automatically make those users member of a group, but I can't apply
GPOs to the group members, or can I?
Click to expand...

Hi,

One solution might be to periodically run a script that moves all user
objects from the Users container to the Student/Lab OU. The script would
bind to the Users container, filter on User objects, bind to the OU object,
enumerate the users in the container, and invoke the MoveHere method of the
OU object to move the user objects into the OU. Of course, a number of
default user objects are created in the Users containers (like Guest), so
you might need to make sure you do not move those. Group membership could
help with that, if all of the users to be moved are members of a group.
Otherwise, if the new users have "Radius Users" in the description, that
could be used. A quick VBScript example:
====================
Option Explicit

Dim objOU, objContainer, objUser

' Bind to OU object. If the common name has a forward slash charcter,
' this must be escaped with a backslash.
Set objOU = GetObject("LDAP://ou=Students\/Lab,dc=MyDomain,dc=com")

' Bind to Users container.
Set objContainer = GetObject("LDAP://cn=Users,dc=MyDomain,dc=com")

' Filter on objects of class user in the Users container.
' This will include computer objects, so further tests may be
' required to eliminate computers.
objContainer.Filter = Array("user")

' Enumerate user objects in container.
For Each objUser In objContainer
' Make sure we don't move computer accounts.
If (objUser.Class = "user") Then
' Only deal with accounts with "Radius Users" in description.
If (InStr(objUser.description, "Radius Users") > 0) Then
' Move the object into the OU.
objOU.MoveHere objUser.AdsPath, vbNullString
End If
End If
Next
 
J

Joe Richards [MVP]

The software needs to be smart enough to do that.

The only redirection you can do outside of the software is to redirect ALL users
created with the NET API to another OU, that would impact ALL users created that
way, not just the IDs with certain names. Now if all of your users besides these
are normally created ok and in the right places, then you could get away with
the redirection.

This requires Windows Server 2003 AD...

http://support.microsoft.com/default.aspx?scid=kb;en-us;324949


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
P

Petar

One solution might be to periodically run a script that moves all user
objects from the Users container to the Student/Lab OU. The script would
bind to the Users container, filter on User objects, bind to the OU object,
enumerate the users in the container, and invoke the MoveHere method of the
OU object to move the user objects into the OU. Of course, a number of
default user objects are created in the Users containers (like Guest), so
you might need to make sure you do not move those. Group membership could
help with that, if all of the users to be moved are members of a group.
Otherwise, if the new users have "Radius Users" in the description, that
could be used. A quick VBScript example:
Click to expand...

Thanks for the script, but now... how often should I call it? Every minute,
every few seconds? I think it would make an unnecessary load on the
server...

Besides that, I use GPOs to map disks, tune IE etc, so I need GPOs to be
applied right after login.

In any case, thanks for the answer :)
 
P

Petar

The software needs to be smart enough to do that.
Click to expand...

Well, it's not :(
The only redirection you can do outside of the software is to redirect ALL users
created with the NET API to another OU, that would impact ALL users created that
way, not just the IDs with certain names. Now if all of your users besides these
are normally created ok and in the right places, then you could get away with
the redirection.
Click to expand...

Hm, this sounds very interesting, I'll definetely give it a try!
 
B

Brandon McCombs

Petar said:
Thanks for the script, but now... how often should I call it? Every minute,
Click to expand...

Only you can answer that based on how often the accounts are created and
how soon afterward the account will be used. If the account is created
upon authentication and only for the first authentication then it will
depend on how often you get new users.
every few seconds? I think it would make an unnecessary load on the
server...
Click to expand...

If there is nothing to move then there is nothing to do so what load
would there be?
 
M

mseward

Joe said:
*The software needs to be smart enough to do that.

The only redirection you can do outside of the software is to
redirect ALL users
created with the NET API to another OU, that would impact ALL users
created that
way, not just the IDs with certain names. Now if all of your users
besides these
are normally created ok and in the right places, then you could get
away with
the redirection.

This requires Windows Server 2003 AD...

http://tinyurl.com/uq0e


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
Click to expand...

Is there an actuall API for Active Directory or development tool kit?
I've do some searching but nothing really jumps out on MSFT.com. Need
to do soem integration work that would pull out OU info.

Thanks in advance...
 
J

Joe Richards [MVP]

There is an AD API and an LDAP API. There are also a couple of other APIs such
as DirectoryServices, ADSI, and DSML Services.

The AD API is about replication and metadata, etc. The LDAP API is about
accessing the directory itself. The rest are just leveraging things available
through those two.

Start here

http://msdn.microsoft.com/library/d...portal/dsportal/directory_services_portal.asp




--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

OU Structure 6
Tough OU question 1
TEST/EVAL 2000 AD Lab built 2
Add Computer Objects 1
User account in OU? 2
OU/Container Question Rephrased 2
New User Created under an OU 2
Creating AD objects with VBScript 1

Top