Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Changing Organizational Unit in Active Directory

by jds (Acolyte)
on Mar 02, 2003 at 17:54 UTC ( [id://239874]=perlquestion: print w/replies, xml ) Need Help??

jds has asked for the wisdom of the Perl Monks concerning the following question:

Is there a way to use Perl to change the Organizational Unit for a user in Windows 2000 Active Directory? I have scripted a complex user creation routine, but it puts the user in the 'Users' OU automatically. It would vastly increase functionality and convenience if the step of depositing the user in the proper OU could be automated as well.

Thanks,
John

  • Comment on Changing Organizational Unit in Active Directory

Replies are listed 'Best First'.
Re: Changing Organizational Unit in Active Directory
by submersible_toaster (Chaplain) on Mar 03, 2003 at 00:30 UTC

    Well, I'll be the first to ask respectfully if you can post some of your code ~ I'm sure you're not the only one fighting with AD. My assumption, without having seen your code is that your DN is incorrect, or at least not what you really want it to be. For instance.

    #LDIF
dn: CN=Submersible Toaster, CN=Users, DC=underwater, DC=appliances, DC
+=com
givenname: Submersible
sn: Toaster
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
 <insert relevant AD nonsense GUID sUID etc>

    [download]

    So your DN is what places the object into the LDAP tree..again I make the assumption that you are interfacing with LDAP. To put the user someplace else, you need to make that clear in the DN

    #LDIF
dn: CN=Submersible Toaster, OU=Naughty Boys, DC=underwater, DC=applian
+ces, DC=com
givenname: Submersible
sn: Toaster
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user

    [download]
    Would place Mr Toaster in the "Naughty Boys" OU rather than the "Users" container. I believe you can even reference another LDAP object , sort of symlinking one DN to another. Hence all users could exist in a master branch, but be linked to their relevant OU's , or the other way round. Don't take my word as gospel though - I've never made LDAP or AD actually do this, there is a chunk of documentation tapping me on the shoulder saying that it is possible.


    I can't believe it's not psellchecked
[reply]
[d/l]
[select]
Re: Changing Organizational Unit in Active Directory
by tachyon (Chancellor) on Mar 03, 2003 at 01:11 UTC

    Not very open source I'm afraid but I wrote a number of proprietary Perl scripts that automate all sorts of AD stuff. Bulk user import into any OU with homedir and any other property setting etc, account enable/disable and password resets are amongst them. The company has been looking at releasing them commercially for a while but it has been on the backburner. They took quite a while to develop as most of the documentation is obscure or incorrect in essential details. Drop me a line so I can show it to the PHB and maybe something might happen. james.freeman@id3.org.uk

    By way of hints lidifde utility is good but whitespace sensitive and all online docs (all copies of M$ site stuff anyway) have minor errors in the sample code you need to fix to get them to work - think whitespace and don't do that. ldifde -f dump.txt for hints. Secondly some stuff is just a lot easier to do with short <10 line VBS routines that you can write and exec from perl (I posted one example for you at your other node).

    cheers

    tachyon

    s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print

[reply]
[d/l]
      I work with one of the largest AD structures in the world, and I've yet to run into very much that I can't do directly in perl. For example, to move John Doe from Marketing into Sales, you could try something like this:

      my $oContainer = Win32::OLE->GetObject("LDAP://OU=Sales, DC=Company, D
+C=COM");
my $oUser = $oContainer->MoveHere("LDAP://CN=John Doe, OU=Marketing, D
+C=Company, DC=COM");
$oUser->SetInfo();

      [download]

[reply]
[d/l]
Re: Changing Organizational Unit in Active Directory
by Marza (Vicar) on Mar 02, 2003 at 19:47 UTC

    Isn't that more of a policy issue or a Default account that you can use to copy?

    Other then that AD stuff usually requires venturing into OLE, LDAP, and some ADSI.

    We have not converted to AD yet so I don't have examples to offer.

[reply]
Re: Changing Organizational Unit in Active Directory
by jds (Acolyte) on Mar 04, 2003 at 13:11 UTC
    Thank you to those that replied - I was able to make a working program. Here is the working snippet (thank you meetraz):
       my $oContainer = Win32::OLE->GetObject("LDAP://OU=$ou, DC=nmh, DC=n
+mhschool, DC=ORG");
   my $oUser = $oContainer->MoveHere("LDAP://CN=$logon, cn=Users, DC=n
+mh, DC=nmhschool, DC=ORG","CN=$logon");
   $oUser->SetInfo();

    [download]
    (where $ou is the destination OU and $logon is the user's logon name)

    The point I have traditionally missed is that the default OU of 'Users' must be specified as 'CN=Users' not 'OU=Users'.

    Others have asked for my examples and general account creation in AD, so I will post my entire script in the Code Catacombs.

    Thanks again,
    John

[reply]
[d/l]

Back to Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: perlquestion [id://239874]
Approved by Jenda
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others pondering the Monastery: (4)
As of 2024-04-25 09:55 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found