161
Recipe 5.6 Moving the Objects in an OU to a Different
OU
5.6.1 Problem
You want to move some or all of the objects in an OU to a different OU. You may need to do
this as part of a domain restructuring effort.
5.6.2 Solution
5.6.2.1 Using a graphical user interface
1. Open the Active Directory Users and Computers snap-in.
2. If you need to change domains, right-click on "Active Directory Users and Computers" in
the left pane, select Connect to Domain, enter the domain name, and click OK.
3. In the left pane, browse to the OU that contains the objects you want to move and click
on it.
4. Highlight the objects in the right pane you want to move, right-click on them, and select
"Move."
5. Browse to the parent container you want to move the objects to, click on it.
6. Click OK.
7. Press F5 to refresh the contents of the OU. If objects still exist, repeat the previous three
steps.
5.6.2.2 Using a command-line interface
> for /F "usebackq delims=""" %i in (`dsquery * "<OldOrgUnitDN>" -scope
onelevel`)[RETURN]
do dsmove -newparent "<NewOrgUnitDN>" %i
5.6.2.3 Using VBScript
' This code moves objects from the "old" OU to the "new" OU
' SCRIPT CONFIGURATION
strOldOrgUnit = "<OldOrgUnitDN>" ' e.g. ou=Eng Tools,dc=rallencorp,dc=com
strNewOrgUnit = "<NewOrgUnitDN>" ' e.g. ou=Tools,dc=rallencorp,dc=com
' END CONFIGURATION

set objOldOU = GetObject("LDAP://" & strOldOrgUnit)
set objNewOU = GetObject("LDAP://" & strNewOrgUnit)
for each objChildObject in objOldOU
Wscript.Echo "Moving " & objChildObject.Name
objNewOU.MoveHere objChildObject.ADsPath, objChildObject.Name
next
5.6.3 Discussion
5.6.3.1 Using a graphical user interface

162
If you want to move more than 2,000 objects at one time, you will need to modify the default
number of objects displayed as described in Discussion section of Recipe 5.3.
5.6.3.2 Using a command-line interface
Since
dsmove can move only one object at a time, I had to use the for command to iterate over
each child object returned from
dsquery. Also note that if you want to move more than 100
objects, you'll need to specify the -limit xx option with dsquery, where xx is the maximum
number of objects to move (use 0 for all).
5.6.3.3 Using VBScript
For more information on the MoveHere method, see Recipe 4.17.
5.6.4 See Also
Recipe 4.17 for moving objects, Recipe 5.3 for enumerating objects in an OU, and MSDN:
IADsContainer::MoveHere
Recipe 5.6 Moving the Objects in an OU to a Different
OU
5.6.1 Problem
You want to move some or all of the objects in an OU to a different OU. You may need to do
this as part of a domain restructuring effort.
5.6.2 Solution

5.6.2.1 Using a graphical user interface
1. Open the Active Directory Users and Computers snap-in.
2. If you need to change domains, right-click on "Active Directory Users and Computers" in
the left pane, select Connect to Domain, enter the domain name, and click OK.
3. In the left pane, browse to the OU that contains the objects you want to move and click
on it.
4. Highlight the objects in the right pane you want to move, right-click on them, and select
"Move."
5. Browse to the parent container you want to move the objects to, click on it.
6. Click OK.
7. Press F5 to refresh the contents of the OU. If objects still exist, repeat the previous three
steps.
5.6.2.2 Using a command-line interface

163
> for /F "usebackq delims=""" %i in (`dsquery * "<OldOrgUnitDN>" -scope
onelevel`)[RETURN]
do dsmove -newparent "<NewOrgUnitDN>" %i
5.6.2.3 Using VBScript
' This code moves objects from the "old" OU to the "new" OU
' SCRIPT CONFIGURATION
strOldOrgUnit = "<OldOrgUnitDN>" ' e.g. ou=Eng Tools,dc=rallencorp,dc=com
strNewOrgUnit = "<NewOrgUnitDN>" ' e.g. ou=Tools,dc=rallencorp,dc=com
' END CONFIGURATION

set objOldOU = GetObject("LDAP://" & strOldOrgUnit)
set objNewOU = GetObject("LDAP://" & strNewOrgUnit)
for each objChildObject in objOldOU
Wscript.Echo "Moving " & objChildObject.Name
objNewOU.MoveHere objChildObject.ADsPath, objChildObject.Name

next
5.6.3 Discussion
5.6.3.1 Using a graphical user interface
If you want to move more than 2,000 objects at one time, you will need to modify the default
number of objects displayed as described in Discussion section of Recipe 5.3.
5.6.3.2 Using a command-line interface
Since dsmove can move only one object at a time, I had to use the for command to iterate over
each child object returned from dsquery. Also note that if you want to move more than 100
objects, you'll need to specify the -limit xx option with dsquery, where xx is the maximum
number of objects to move (use 0 for all).
5.6.3.3 Using VBScript
For more information on the
MoveHere method, see Recipe 4.17.
5.6.4 See Also
Recipe 4.17 for moving objects, Recipe 5.3 for enumerating objects in an OU, and MSDN:
IADsContainer::MoveHere
Recipe 5.7 Moving an OU
5.7.1 Problem
You want to move an OU and all its child objects to a different location in the directory tree.

164
5.7.2 Solution
5.7.2.1 Using a graphical user interface
1. Open the Active Directory Users and Computers snap-in.
2. If you need to change domains, right-click on "Active Directory Users and Computers" in
the left pane, select Connect to Domain, enter the domain name, and click OK.
3. In the left pane, browse to the OU you want to move.
4. Right-click on the OU and select Move.
5. Select the new parent container for the OU and click OK.
5.7.2.2 Using a command-line interface

> dsmove "<OrgUnitDN>" -newparent "<NewParentDN>"
5.7.2.3 Using VBScript
set objOU = GetObject("LDAP://<NewParentDN>")
objOU.MoveHere "LDAP://<OrgUnitDN>", "<OrgUnitRDN>"
5.7.3 Discussion
One of the benefits of Active Directory is the ability to structure and restructure data easily.
Moving an OU, even one that contains a complex hierarchy of other OUs and objects, can be
done without impacting the child objects.
If any applications have a dependency on the location of specific objects, you need to ensure
they are either updated with the new location or preferably, reference the objects by GUID, not
by distinguished name.
You should also be mindful of the impact of inherited ACLs and applied group policy on the
new parent OU.
5.7.4 See Also
MS KB 313066 (HOW TO: Move Users, Groups, and Organizational Units Within a Domain in
Windows 2000) and MSDN: IADsContainer::MoveHere
Recipe 5.8 Determining How Many Child Objects an
OU Has

This recipe requires the Windows Server 2003 domain functional level.


165
5.8.1 Problem
You want to determine if an OU has any child objects or determine how many child objects it
contains.
5.8.2 Solution
5.8.2.1 Using a graphical user interface
1. Open LDP.
2. From the Menu, select Browse Search.

3. For Base Dn, enter <OrgUnitDN>.
4. For Filter, enter (objectclass=*).
5. For Scope, select Base.
6. Click the Options button and enter msDS-Approx-Immed-Subordinates For Attributes.
7. Click OK and Run.
8. The results will be displayed in the right pane.
5.8.2.2 Using a command-line interface
> dsquery * "<OrgUnitDN>" -scope base -attr msDS-Approx-Immed-Subordinates
5.8.2.3 Using VBScript
' This code displays the approximate number of child objects for an OU
set objOU = GetObject("LDAP://<OrgUnitDN>")
objOU.GetInfoEx Array("msDS-Approx-Immed-Subordinates"), 0
WScript.Echo "Number of child objects: " & _
objOU.Get("msDS-Approx-Immed-Subordinates")
5.8.3 Discussion
The msDS-Approx-Immed-Subordinates attribute is new to Windows Server 2003. It contains
the approximate number of direct child objects in a container or organizational unit. Note that
this is an approximation and can be off by 10% of the actual total for large containers. The main
reason for adding this attribute was to give applications an idea of how many objects a container
has so that it can display them accordingly.
msDS-Approx-Immed-Subordinates is a constructed attribute, that is, the value is not actually
stored in Active Directory like other attributes. Active Directory computes the value when an
application asks for it. In the VBScript solution, the
GetInfoEx method had to be called because
some constructed attributes, such as this one, are not retrieved when
GetInfo or Get is called.
You can accomplish similar functionality with Windows 2000 Active Directory, but you need to
perform a onelevel search against the OU and count the number of objects returned. This method
is by no means as efficient as using
msDS-Approx-Immed-Subordinates in Windows Server

2003.

166
5.8.4 See Also
MSDN: GetInfoEx
Recipe 5.9 Delegating Control of an OU
5.9.1 Problem
You want to delegate administrative access of an OU to allow a group of users to manage objects
in the OU.
5.9.2 Solution
5.9.2.1 Using a graphical user interface
1. Open the Active Directory Users and Computers snap-in.
2. If you need to change domains, right-click on "Active Directory Users and Computers" in
the left pane, select Connect to Domain, enter the domain name, and click OK.
3. In the left pane, browse to the target OU, right-click on it, and select Delegate Control.
4. Select the users and/or groups to delegate control to by using the Add button and click
Next.
5. Select the type of privilege to grant the users/groups and click Next.
6. Click Finish.
5.9.2.2 Using a command-line interface
ACLs can be set via a command-line with the dsacls utility from the Support Tools. See Recipe
14.10 for more information.
5.9.3 Discussion
Although you can delegate control of an OU to a particular user, it is generally a better practice
to use a group instead. Even if there is only one user to delegate control to, you should create a
group, add that user as a member, and use that group in the ACL. That way, in the future when
you have to replace that user with someone else, you can make sure the new person is in the
correct group instead of modifying ACLs again.
5.9.4 See Also
Recipe 14.10 for changing the ACL on an object


167
Recipe 5.10 Allowing OUs to Be Created Within
Containers
5.10.1 Problem
You want to create an OU within a container. By default, you cannot create OUs within
container objects due to restrictions in the Active Directory schema.
5.10.2 Solution
5.10.2.1 Using a graphical user interface
1. Open the Active Directory Schema snap-in as a user that is a member of the Schema
Admins group. See Recipe 10.1 for more on using the Schema snap-in.
2. Expand the Classes folder, right-click on the organizationalUnit class, and select
Properties.
3. Select the Relationship tab and, next to Possible Superior, click Add Superior (Windows
Server 2003) or Add (Windows 2000).
4. Select container and click OK.
5. Click OK.
5.10.2.2 Using a command-line interface
Create an LDIF file called ou_in_container.ldf with the following contents:
dn: cn=organizational-unit,cn=schema,cn=configuration,<ForestRootDN>
changetype: modify
add: possSuperiors
possSuperiors: container
-
then run the ldifde command to import the change:
> ldifde -i -f ou_in_container.ldf
5.10.2.3 Using VBScript
' This code modifies the schema so that OUs can be created within containers
Const ADS_PROPERTY_APPEND = 3
set objRootDSE = GetObject("LDAP://RootDSE")

set objOUClass = GetObject("LDAP://cn=organizational-unit," & _
objRootDSE.Get("schemaNamingContext") )
objOUClass.PutEx ADS_PROPERTY_APPEND, "possSuperiors", Array("container")
objOUClass.SetInfo

168
5.10.3 Discussion
Allowing OUs to be created within containers requires a simple modification to the schema. You
have to make the container class one of the possible superiors (possSuperiors attribute) for the
organizationalUnit class.
5.10.4 See Also
Recipe 10.1 for using the Schema snap-in and MS KB 224377 (Configuring Different Containers
to Hold Organizational Units)
Recipe 5.11 Linking a GPO to an OU
5.11.1 Problem
You want to apply the settings in a GPO to the users and/or computers within an OU, also known
as linking the GPO to the OU.
5.11.2 Solution
5.11.2.1 Using a graphical user interface
1. Open the Group Policy Management (GPMC) snap-in.
2. Expand Forest in the left pane.
3. Expand Domain and navigate down to the OU in the domain you want to link the GPO to.
4. Right-click on the OU and select either Create and Link a GPO Here (if the GPO does
not already exist) or Link an Existing GPO (if you have already created the GPO).
5.11.2.2 Using VBScript
' This code links a GPO to an OU in the specified domain
' SCRIPT CONFIGURATION
strDomainDN = "<DomainDN>" ' e.g. dc=rallencorp,dc=com
strGPO = "<GPOName>" ' e.g. WorkstationsGPO
strOUDN = "<OrgUnitDN>" ' e.g. ou=Workstations,dc=rallencorp,dc=com

' END CONFIGURATION

strBaseDN = "<LDAP://cn=policies,cn=system,dc=" & strDomainDN & ">;"
strFilter = "(&(objectcategory=grouppolicycontainer)" & _
"(objectclass=grouppolicycontainer)" & _
"(displayname=" & strGPO & "));"
strAttrs = "ADsPath;"
strScope = "OneLevel"

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strBaseDN & strFilter & strAttrs & strScope)
if objRS.EOF <> TRUE then
objRS.MoveFirst

169
end if

if objRS.RecordCount = 1 then
strGPOADsPath = objRS.Fields(0).Value
WScript.Echo "GPO Found: " & strGPOADsPath
elseif objRS.RecordCount = 0 then
WScript.Echo "Did not founding matching GPO for: " & strGPO
Wscript.Quit
elseif objRS.RecordCount > 1 then
WScript.Echo "More than 1 GPO found matching: " & strGPO
Wscript.Quit
end if


set objOU = GetObject("LDAP://" & strOUDN)

on error resume next
strGPLink = objOU.Get("gpLink")
if Err.Number then
if Err.Number <> -2147463155 then
WScript.Echo "Fatal error while retrieving gpLink attribute: " & _
Err.Description
Wscript.Quit
end if
end if
on error goto 0

objOU.Put "gpLink", strGPLink & "[" & strGPOADsPath & ";0]"
objOU.SetInfo
WScript.Echo "GPO successfully linked"
5.11.3 Discussion
The GPOs that are linked to an OU are stored in the gpLink attribute of the OU. The format of
the gpLink attribute is kind of strange, so you have to be careful when programmatically or
manually setting that attribute. Since multiple GPOs can be linked to an OU, the gpLink attribute
has to store multiple values; unfortunately, it does not store them as you might expect in a
multivalued attribute. Instead, the links are stored as part of the single-valued
gpLink attribute.
The ADsPath of each linked GPO is concatenated into a string, with each enclosed in square
brackets. The ADsPath for each GPO is followed by
;0 to signify the link is enabled or ;1 to
signify the link is disabled. Here is an example
gpLink with two GPOs linked:
[LDAP://cn={6491389E-C302-418C-8D9D-
BB24E65E7507},cn=policies,cn=system,DC=rallencorp,DC=com;0][LDAP://cn={6AC178

6C-016F-
11D2-945F-00C04fB984F9},cn=policies,cn=system,DC=rallencorp,DC=com;0]
A much better VBScript solution for linking GPOs is described in Recipe 9.12, which uses the
GPMC APIs.

170
5.11.4 See Also
Introduction in Chapter 9 for more information on GPMC, and MS KB 248392 (Scripting the
Addition of Group Policy Links)