Tuesday, April 17, 2007

SBS: Are you redirecting the location of newly created computer objects?

Note: This isn’t specific to SBS, but larger organizations tend to already have processes in-place to handle this.

Short answer – use “redircmp.exe” for all of your SBS installs.
Need reasons? Read on…

So, by default when new computers get added to the domain, they get created in the Computers container. And it might be okay that they get dumped there because it forces someone to do something with it. Assuming you’re the only one managing it, you won’t forget, right? Oh, you might? What about you’re other netadmins, will they forget? Maybe so.

Simplify and automate…

That’s why we have Active Directory anyway, right? Well, that and to scale nicely – but doing stuff is a big part of it. So if you have computers piling up in that computer container (by now you should have opened out ADUC), then you know for a fact that they don’t get any GPO’s applied. And if dozens of boxes – for that matter, if even a few boxes – have been added without following the correct process, then at best you have some confusion. Worst-case, you have boxes that aren’t getting updates distributed via WSUS (or some similar fate).

Fortunately, there’s a tool for this called “redircmp.exe”. What it is? How do you use it? Is it safe for SBS? Don’t want to read the KB article? Well, it’s just what it sounds like – a tool for redirecting the default location of newly created computer objects (there’s a “redirusr.exe” too, which does the same for users). The first step is to probably to consider building onto the OU design of SBS. No, I’m not talking about changes to the SBS-ized stuff… we tend to build-out beneath the default OU structure for customization. Why? Well, it reduces risk - it helps us to enable our clients to do a bit of self-management sometimes – and it keeps team members from making big mistakes. But the main reason is that you probably want something that makes sense for your circumstances and your client. The hierarchy should fit the business-need.

As far as how to use it, there’s not much to it… from the SBS server just run it and it gives you the usage. Otherwise, here’s something that might make sense for you… obviously this is a sample based loosely on the SBS hierarchy.

“redircmp ou=WSUSMasterOU,ou=SBSComputers,ou=Computers,ou=MyBusiness,dc=domain,dc=local”
It should respond with “Redirection was successful.” If it said something else, check this KB article. Now go ahead and test it. Fire up Virtual PC with a base-image, add it to the domain, and refresh the OU in ADUC. It should show up down in the WSUSMasterOU (or whatever is appropriate for you). Depending on how much automation you want, this might be enough. At the very least, you're a step in the right direction – and if someone is forgetting to move it down further into the right OU, or add it to the right group, then at least you’ve got a base level of GPO’s being applied.

No comments: