Microsoft® Windows® 2000 Scripting Guide
« Previous | Next »
When an employee changes roles within the organization, it might be necessary to move the employee s user account to another OU within the same domain, or even from one domain to another. A user account might need to be renamed if, for example, user account naming conventions are changed, an employee changes his or her name, or a new employee replaces an existing employee.
How you move or rename a user account depends on where you plan to move it. Using ADSI, you can move or rename a user account using the MoveHere method of IADsContainer. The MoveHere method supports the following move and rename operations:
You cannot use the MoveHere method to move a user account to another forest.
Moving user accounts to other domains within the same forest is possible when the following conditions are met:
(null): Inappropriate authentication
To move a user from one domain to another, you must have permission to remove a user from the source domain and add a user to the target domain. For example, a user with administrator credentials in a root domain can move a user to a child domain because the user is a member of the Enterprise Admins group. However, a user with administrator credentials in a child domain cannot move a user to a parent domain because the user does not have permission, by default, to add user accounts to the parent domain.
By default, a user account is made a member of the Domain Users global group. This group is also configured as the Primary group for compatibility with Macintosh clients and POSIX-compliant applications.
You cannot remove a group configured as the Primary group. Therefore, make the user a member of a Universal group, configure that group as primary, and then remove the user s membership in any global groups. If you do not remove the user account from all global groups, the move operation will fail and the following message will appear:
(null): The server is unwilling to process the request.
After the move is completed, the moved user account is automatically made a member of the Domain Users global group in the target domain. Membership in any Universal groups is automatically revoked.
The MoveHere method allows you to create a script to move or rename a user account.Table 7.9 shows the arguments of the MoveHere method.
Table 7.9 Arguments of the MoveHere Method
Argument | Type | Required | Default | Description |
---|---|---|---|---|
Source container | string | Yes | None | The name of the provider and the distinguishedName attribute of the target container. |
RelativeDistinguishedName | string | Yes | None | The cn=name attribute of the user account object to be moved or the new name of the user account to be renamed. If you are not renaming the account, you can specify vbNullString instead. |
To use the MoveHere method, the script must first bind to the target (destination) container where the user account should be moved or renamed. The target container is not an argument of the MoveHere method.
The scripting steps for each type of move operation are similar.
Listing 7.18 contains a script that moves a user account from one OU to another OU within the same domain. To carry out this task, the script performs the following steps:
Listing 7.18 Moving a User Account to a Different OU Within the Same Domain
|
|
Line 4 of Listing 7.18 shows that the BarrAdam user account is moved but not renamed. The second argument of the MoveHere method, the relative distinguished name, is identical to the relative distinguished name portion of the distinguishedName specified in the first argument (cn=BarrAdam). Therefore, the second argument can be written as vbNullString rather than the actual RDN:
"LDAP://cn=BarrAdam,ou=HR,dc=NA,dc=fabrikam,dc=com
", vbNullString
Renaming a user account is similar to moving a user account. The difference is that the second argument of the MoveHere method is a name other than the relative distinguished name originally assigned to the user account. Also, you can rename a user account without moving it to another container.
Listing 7.19 contains a script that renames a user account from within the OU in which it currently resides. To carry out this task, the script performs the following steps:
Listing 7.19 Renaming a User Account Within the Same OU
|
|
You can perform a rename operation while simultaneously moving the user account to another location. Simply change the target container specified on line 1 of Listing 7.19 to a different OU.
Listing 7.20 contains a script that renames a user account and moves it to a different OU. To carry out this task, the script performs the following steps:
Listing 7.20 Renaming and Moving a User Account to a Different OU
|
|
There are times when a user account might have to be moved to another domain within the forest for example, if a user is moving to another location within the company and that location contains a different domain in the forest. It might also be necessary to move user accounts if the forest is being expanded into additional child domains or consolidated into a smaller number of domains.
Before moving a user account to another domain in the forest, you must make sure that all of the conditions outlined in the introduction to this section are met. Once these conditions are met, writing a script to move a user account to another domain is similar to moving a user account to another OU within the same domain.
Listing 7.21 contains a script that moves a user account to an OU in a child domain. To carry out this task, the script performs the following steps:
Listing 7.21 Moving a User Account to an OU in a Different Domain
|
|
If you need to move an OU or another container (and all of the objects within the container) to a different domain in the forest, use the Movetree.exe command-line tool. For information about this tool, install the Windows Support Tools from the \Support\Tools folder on the Windows 2000 Server installation CD. Following installation, from a command prompt, type movetree /? for syntax and Movetree examples.
Send us your feedback | « Previous | Next » |