Having trouble with script/running dsmove.exe

Discussion in 'Active Directory' started by Vince, Jul 21, 2008.

  1. Vince

    Vince Guest

    I am trying to create a script to move computer accounts to different OUs
    based on the AD site. I found a script that I am adapting for this purpose,
    and the script functions by running dsmove.exe from
    \\domain\sysvol\domain\scripts. Our domain name is tvusd.k12.ca.us (school
    district). For some reason I cannot run dsmove.exe from there on any machine
    I've tried; however, I *can* launch another test executable. Here's an
    example (I get the same results from any system I test on, server or
    workstation):

    From a cmd prompt:
    \\tvusd.k12.ca.us\sysvol\tvusd.k12.ca.us\scripts\tcpview.exe
    Result: SysInternals TCPView launches.

    From a cmd prompt: \\tvusd.k12.ca.us\sysvol\tvusd.k12.ca.us\scripts\dsmove.exe
    Result: no output, just goes to a new prompt.
    Expected: With no options, dsmove.exe should provide a help screen. If I
    copy it local and run it I get the expected behavior.

    Why can't I run this program from the scripts directory when accessing via
    the domain name? Is there a better way to do this via a script than running
    dsmove?
     
    Vince, Jul 21, 2008
    #1
    1. Advertisements

  2. Hello Vince,

    Do you run it as a startup script or logon script? What OS are the DC's and
    clients? Can you post the script here?

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Jul 21, 2008
    #2
    1. Advertisements

  3. Vince

    Vince Guest

    The idea was to run it as a logon script (haven't gotten that far though). DC
    is Windows 2008 and clients are Windows Vista, XP, and 2000. Here's the
    script (it's still a work in progress though - for instance, it doesn't yet
    include all our sites):
    --------------------------------------
    ' This script reads the current AD site and moves the computer account to
    the appropriate OU for that site.
    ' This script accepts Credentials from command-line.
    ' Usage with GPO:
    ' Scripts / LogonScript / scriptName -> scriptname.vbs
    ' Scripts / LogonScript / ScriptParameters -> /u:"domain\user" /p:"password"
    ' (this user does not have to be a member of Domain Admins, you can just
    delegate control over the OU's to it.

    'Gather information about computer account and AD site
    Set objSysInfo = CreateObject("ADSystemInfo")
    strComputerDN = objSysInfo.ComputerName
    strComputerRDN = split(strComputerDN,",")(0)
    strCurrentOU = Replace(strComputerDN, strComputerRDN & ",","")
    strCurrentSite = UCase(objSysInfo.SiteName)

    'tool
    pathDSMOVE = "\\tvusd.k12.ca.us\sysvol\tvusd.k12.ca.us\scripts\dsmove.exe"

    'Alternate Credentials
    Set Named = WScript.Arguments.Named 'Read script parameters
    strUser = Empty
    strSecret = Empty
    If Named.Exists("u") Then
    strUser = Named.Item("u")
    If Named.Exists("p") Then _
    strSecret = Named.Item("p")
    End If
    altCredentials = " -u """ & strUser & """ -p """ & strSecret & """"

    'variables
    strSiteName0 = UCase("TemeculaValleyUSD")
    strSiteName1 = UCase("HS-TemeculaValley")

    'conditional run
    If (strCurrentSite = strSiteName0) Then
    strNewOU = "OU=Computers,OU=District Office,DC=tvusd,DC=k12,DC=ca,DC=us"
    If Not UCase(strCurrentOU) = Ucase(strNewOU) Then
    call MoveObject(pathDSMOVE, strComputerDN, strNewOU, altCredentials)
    End If
    ElseIf (strCurrentSite = strSiteName1) Then
    strNewOU = "OU=Computers,OU=Temecula Valley HS,OU=Secondary
    Schools,DC=tvusd,DC=k12,DC=ca,DC=us"
    If Not UCase(strCurrentOU) = Ucase(strNewOU) Then
    call MoveObject(pathDSMOVE, strComputerDN, strNewOU, altCredentials)
    End If
    End If

    Sub MoveObject(pathDsmove, strComputerDN, targetOU, credentials)
    With Wscript.CreateObject("WScript.Shell")
    strCommand = pathDsmove & " """ & strComputerDN & """ " _
    & "-newparent """ & targetOU & """ " _
    & credentials
    .Run "%comspec% /c @call " & strCommand,0,True
    End With
    End Sub
    --------------------------------------
     
    Vince, Jul 21, 2008
    #3
  4. Hello Vince,

    I am not that kind of scripting expert. I think to move the computer object
    in AD you have to use a dedicated account that has the right to do the needed
    steps. What happens if you copy dsmove and the script to the local machine
    and run it from there with a domain admin account? So you can check if the
    script is ok and do what it shoud do.

    Best regards

    Meinolf Weber
     
    Meinolf Weber, Jul 21, 2008
    #4
  5. Vince

    Vince Guest

    Well, I gave up on getting dsmove to work - I think there's a problem due to
    the length of our FQDN. Instead I wrote a script that handles the move
    internally, and allows credentials to be passed via command line arguments. I
    have this script assigned as a startup script in my Default Domain Policy,
    using the username/pass of a user with rights to move computer accounts in
    the tree (and nothing else).

    Here's the script in case it will help anyone else:
    -------------------------------------------------------------
    ' This script reads the current AD site and moves the computer account to
    the appropriate OU for that site.
    ' This script accepts Credentials from command-line.
    ' Usage with GPO:
    ' Scripts / LogonScript / scriptName -> scriptname.vbs
    ' Scripts / LogonScript / ScriptParameters -> /u:"domain\user" /p:"password"
    ' (this user does not have to be a member of Domain Admins, you can just
    delegate control over the OU's to it.

    'Check OS, if server then quit
    Call ServerCheck
    If ServerCheck = "True" Then
    wscript.Quit
    End If


    'Alternate Credentials
    Set Named = WScript.Arguments.Named 'Read script parameters
    strUser = Empty
    strSecret = Empty
    If Named.Exists("u") Then
    strUser = Named.Item("u")
    End If
    If Named.Exists("p") Then
    strSecret = Named.Item("p")
    End If


    'Gather information about computer account and AD site
    Set objSysInfo = CreateObject("ADSystemInfo")
    strComputerDN = objSysInfo.ComputerName
    strComputerRDN = split(strComputerDN,",")(0)
    strCurrentOU = Replace(strComputerDN, strComputerRDN & ",","")
    strCurrentSite = UCase(objSysInfo.SiteName)


    'variables
    strFQDN = "DC=company,DC=com"
    strSiteName0 = UCase("ADSite0") 'These should match your AD site names
    strSiteName1 = UCase("ADSite1")
    strSiteName2 = UCase("ADSite2")


    'conditional run
    If (strCurrentSite = strSiteName0) Then
    strNewOU = "OU=Computers,OU=Site0," & strFQDN
    If Not UCase(strCurrentOU) = Ucase(strNewOU) Then
    call MoveComputer
    End If
    ElseIf (strCurrentSite = strSiteName1) Then
    strNewOU = "OU=Computers,OU=Site1," & strFQDN
    If Not UCase(strCurrentOU) = Ucase(strNewOU) Then
    call MoveComputer
    End If
    ElseIf (strCurrentSite = strSiteName2) Then
    strNewOU = "OU=Computers,OU=Site2," & strFQDN
    If Not UCase(strCurrentOU) = Ucase(strNewOU) Then
    call MoveComputer
    End If
    End If


    Function ServerCheck()
    Dim objWMIService
    Dim colItems
    Dim objItem
    Dim strComputer: strComputer = "."

    ServerCheck = False
    Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    Set colItems = objWMIService.ExecQuery("Select * from
    Win32_OperatingSystem",,48)
    For Each objItem In colItems
    If InStr(1,objItem.Caption,"Server") Then
    ServerCheck = True
    End If
    Next
    Set objWMIService = Nothing
    Set colItems = Nothing
    Set objItem = Nothing
    End Function


    Sub MoveComputer
    objNewOU = "LDAP://" & strNewOU
    Set objDSO = GetObject("LDAP:")
    Set objMoveComputer = objDSO.OpenDSObject(objNewOU, strUser, strSecret, 1)
    objMoveComputer.MoveHere "LDAP://" & strComputerDN, vbNullString
    End Sub
     
    Vince, Jul 23, 2008
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.