MDT 2013: Moving Computers Into Correct OU on AD Join
When joining a computer to Active Directory (AD) using MDT, you really don’t get too many options.
On a fresh install, where the computer AD object doesn’t exist, it will place the computer AD object into the default “Computers” OU or the OU you designate.
What happens when you try to join a computer using MDT when the AD object already exists? It will re-use the AD object and leave it right where it is, no matter where you told it to be placed.
While this is not ideal, it works, and makes you deal with “Not Cleaning Up AD Like You Should Have!“.
That’s okay, I’m a little lazy too. Here’s an easy way to ensure your task sequence does the work for you.
Step 1:
Create a powershell script file in the %ScriptRoot% (DeploymentShare\Scripts\) folder. (e.g. D:\DeploymentShare\Scripts\)
Script Name: MoveToOU.ps1
Script Contents:
# Script to move the computer object in AD to the OU supplied as a variable. # Place powershell script in %ScriptRoot% (DeploymentShare\Scripts\) folder. # Example Command line: Powershell.exe -NoProfile -ExecutionPolicy bypass -file MoveToOU.ps1 "%MachineObjectOU%" $OU = $args[0] try { $CompDN = ([ADSISEARCHER]"sAMAccountName=$($env:COMPUTERNAME)$").FindOne().Path $CompObj = [ADSI]"$CompDN" $CompObj.psbase.MoveTo([ADSI]”LDAP://$($OU)”) } catch { $_.Exception.Message ; Exit 1 }
As this script will be in the %ScriptRoot% folder, you will need to perform an Update Deployment Share to include it in the WinPE WIM image so it becomes available during imaging.
- Right click on your deployment share and choose Update Deployment Share, and then select Completely regenerate the boot images.
- Click Next twice and it will begin (re)creating the deployment WIM files.
- When completed, click Finish.
- Import the updated LiteTouch WIM files into the WDS Boot Images.
Step 2:
In your Task Sequence, add a New Group under State Restore. I called mine; Custom Tasks OS
Step 3:
- Under the new group you just added, add a Run Command Line.Name: Move to Correct OU
Command line:Powershell.exe -NoProfile -ExecutionPolicy bypass -file %ScriptRoot%\MoveToOU.ps1 "%MachineObjectOU%"
- Put a check in: Run this step as the following account
- Click Set… and enter the domain username and password of an account that has AD read/write permissions to the OUs you want to move the computers into.
♦ In a pinch, a Domain Admin account will work, however that’s overkill and a BIG security risk. This is because the password used for this account will be stored in the “ts.xml” file in plain text.
That’s it, enjoy!