Moving and Renaming User Accounts

Microsoft® Windows® 2000 Scripting Guide

microsoft windows 2000 scripting guide

« Previous | Next »   

When an employee changes roles within the organization, it might be necessary to move the employee s user account to another OU within the same domain, or even from one domain to another. A user account might need to be renamed if, for example, user account naming conventions are changed, an employee changes his or her name, or a new employee replaces an existing employee.

How you move or rename a user account depends on where you plan to move it. Using ADSI, you can move or rename a user account using the MoveHere method of IADsContainer. The MoveHere method supports the following move and rename operations:

  • Moving a user account to a different container within the same domain
  • Renaming a user account within the same container
  • Renaming and moving a user account to a different container within the same domain
  • Moving a user account to another domain
  • Renaming an account while moving it to another domain

You cannot use the MoveHere method to move a user account to another forest.

Preparing a User Account for a Cross-Domain Move

Moving user accounts to other domains within the same forest is possible when the following conditions are met:

  • The destination domain is running in native mode.
  • Both the destination and the source domain use Kerberos authentication.
  • The move operation must be completed from the source domain to the destination, or target, domain. If you attempt to move a user while logged on to the destination domain, the following message will appear:
    (null): Inappropriate authentication 

    To move a user from one domain to another, you must have permission to remove a user from the source domain and add a user to the target domain. For example, a user with administrator credentials in a root domain can move a user to a child domain because the user is a member of the Enterprise Admins group. However, a user with administrator credentials in a child domain cannot move a user to a parent domain because the user does not have permission, by default, to add user accounts to the parent domain.

  • The user account to be moved must not be a member of a global group in the source domain, or the move operation will fail. Therefore, you must remove the user from any global groups before attempting the move.

    By default, a user account is made a member of the Domain Users global group. This group is also configured as the Primary group for compatibility with Macintosh clients and POSIX-compliant applications.

    You cannot remove a group configured as the Primary group. Therefore, make the user a member of a Universal group, configure that group as primary, and then remove the user s membership in any global groups. If you do not remove the user account from all global groups, the move operation will fail and the following message will appear:

    (null): The server is unwilling to process the request. 

    After the move is completed, the moved user account is automatically made a member of the Domain Users global group in the target domain. Membership in any Universal groups is automatically revoked.

The MoveHere method allows you to create a script to move or rename a user account.Table 7.9 shows the arguments of the MoveHere method.

Table 7.9   Arguments of the MoveHere Method

ArgumentTypeRequiredDefaultDescription
Source containerstringYesNoneThe name of the provider and the distinguishedName attribute of the target container.
RelativeDistinguishedNamestringYesNoneThe cn=name attribute of the user account object to be moved or the new name of the user account to be renamed. If you are not renaming the account, you can specify vbNullString instead.

To use the MoveHere method, the script must first bind to the target (destination) container where the user account should be moved or renamed. The target container is not an argument of the MoveHere method.

Scripting Steps

The scripting steps for each type of move operation are similar.

Moving a user account to a different container within the same domain

Listing 7.18 contains a script that moves a user account from one OU to another OU within the same domain. To carry out this task, the script performs the following steps:

  1. Bind to the target OU by using the GetObject function and the LDAP provider.
  2. Use the MoveHere method of IADsContainer to move the user account from the HR OU to the Sales OU.

Listing 7.18   Moving a User Account to a Different OU Within the Same Domain

1 2 3 4 
Set objOU = GetObject("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") objOU.MoveHere _     "LDAP://cn=BarrAdam,ou=HR,dc=NA,dc=fabrikam,dc=com", "cn=barradam"

Line 4 of Listing 7.18 shows that the BarrAdam user account is moved but not renamed. The second argument of the MoveHere method, the relative distinguished name, is identical to the relative distinguished name portion of the distinguishedName specified in the first argument (cn=BarrAdam). Therefore, the second argument can be written as vbNullString rather than the actual RDN:

" LDAP://cn=BarrAdam,ou=HR,dc=NA,dc=fabrikam,dc=com", vbNullString 

Renaming a user account within the same container

Renaming a user account is similar to moving a user account. The difference is that the second argument of the MoveHere method is a name other than the relative distinguished name originally assigned to the user account. Also, you can rename a user account without moving it to another container.

Listing 7.19 contains a script that renames a user account from within the OU in which it currently resides. To carry out this task, the script performs the following steps:

  1. Bind to the target OU by using the GetObject function and the LDAP provider.
  2. Use the MoveHere method of IADsContainer to rename the user account to LewJudy in its current container.

Listing 7.19   Renaming a User Account Within the Same OU

1 2 3 4 
Set objOU = GetObject("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") objOU.MoveHere _     "LDAP://cn=BarrAdam,ou=Sales,dc=NA,dc=fabrikam,dc=com", "cn=LewJudy"

Renaming and moving a user account to a different container within the same domain

You can perform a rename operation while simultaneously moving the user account to another location. Simply change the target container specified on line 1 of Listing 7.19 to a different OU.

Listing 7.20 contains a script that renames a user account and moves it to a different OU. To carry out this task, the script performs the following steps:

  1. Bind to the target OU by using the GetObject function and the LDAP provider.
  2. Use the MoveHere method of IADsContainer to rename the user account and move it to the Management OU.

Listing 7.20   Renaming and Moving a User Account to a Different OU

1 2 3 4 5 
Set objOU = GetObject("LDAP://ou=Management,dc=NA,dc=fabrikam,dc=com") objOU.MoveHere _     "LDAP://cn=LewJudy,ou=Sales,dc=NA,dc=fabrikam,dc=com", _         "cn=AckermanPilar"

Moving a user account to another domain

There are times when a user account might have to be moved to another domain within the forest for example, if a user is moving to another location within the company and that location contains a different domain in the forest. It might also be necessary to move user accounts if the forest is being expanded into additional child domains or consolidated into a smaller number of domains.

Before moving a user account to another domain in the forest, you must make sure that all of the conditions outlined in the introduction to this section are met. Once these conditions are met, writing a script to move a user account to another domain is similar to moving a user account to another OU within the same domain.

Listing 7.21 contains a script that moves a user account to an OU in a child domain. To carry out this task, the script performs the following steps:

  1. Bind to the target OU by using the GetObject function and the LDAP provider.
  2. Use the MoveHere method of IADsContainer to rename the user account and move it to the Management OU.

Listing 7.21   Moving a User Account to an OU in a Different Domain

1 2 3 4 5 
Set objOU = GetObject("LDAP://ou=Management,dc=NA,dc=fabrikam,dc=com") objOU.MoveHere _     "LDAP://cn=AckermanPilar,ou=Management,dc=fabrikam,dc=com", _         vbNullString

If you need to move an OU or another container (and all of the objects within the container) to a different domain in the forest, use the Movetree.exe command-line tool. For information about this tool, install the Windows Support Tools from the \Support\Tools folder on the Windows 2000 Server installation CD. Following installation, from a command prompt, type movetree /? for syntax and Movetree examples.


send us your feedback Send us your feedback « Previous | Next »   


Microsoft Windows 2000 Scripting Guide(c) Automating System Administration 2003
Microsoft Windows 2000 Scripting Guide(c) Automating System Administration 2003
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 635

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net