samba - Apr 2022 - Samba 4.13 AD: How to Change Default Computer OU?

Hi Andrew,

Yep. That looks like what I want to do. Thanks!

Please bear with me on a related tangent. For the life of me, I cannot figure
out a working ldif notation. This is what I have on Debian 11.3:


ldbmodify -H /var/lib/samba/private/sam.ldb <<

dn: DC=sub,DC=mydomain,DC=com
changetype: modify
delete: wellKnownObjects
wellKnownObjects:
B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=sub,DC=mydomain,DC=com
-
add: wellKnownObjects
wellKnownObjects:
B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Machines,DC=sub,DC=mydomain,DC=com


However, I receive a constraint violation "000020B5: Referenced object not
found [...]". Object is definitely there, if multiple. What am I doing
wrong here? I know this beyond the scope of my original question, but maybe
someone came across the same issue. Any pointers greatly appreciated!

Bests, Mike

> See this in the base DN (eg your main domain DN):
> wellKnownObjects:
> B:32:aa312825768811d1aded00c04fd8d5cd:CN=Computers,${DOMAINDN}
> Most clients will honour where this points and create new computers
> there by default, unless told otherwise.
Andrew,

On Tue, 2022-03-29 at 23:13 -0500, Mike Ruebner via samba
wrote:
>> Thanks for your response. Much appreciated. I am aware of the samba-
>> tool option, but that's, for lack of better words, after the fact.
>> 'Off the bat' meaning that a newly joined workstation should
>> automatically end up in the 'Machines' OU instead of the
default
>> 'Computers' OU. In Windows speak, I would be able to achive
this with
>> the 'redircmp' PowerShell command.
>> 
>> Bests, Mike
> 
> 
> > Not entirely sure I understand what "applied off the bat"
means.
> > Joining the domain won't execute GPO computer settings AFAIK, you
> > need 
> > to reboot the machine first.  If you have to reboot the machine
> > anyway, 
> > just use samba-tool right after the domain join:
> > # samba-tool computer move COMPUTERNAME NEW_PARENT_DN [options]
> > This command moves a computer account into the specified
> > organizational 
> > unit or container.
> > The computername specified on the command is the sAMAccountName,
> > with or 
> > without the trailing dollar sign.
> > The name of the organizational unit or container can be specified
> > as a 
> > full DN or without the domainDN component.
> > > On 3/23/22 00:22, Mike Ruebner via samba wrote:
> > > Hi,
> > > 
> > > Is there any way to change the default OU for new domain joins? I
> > > have a couple of GPOs I would like to see applied off the bat
> > > from a 'Machines' OU.
> > > Samba 4.13.13-Debian on Debian 11.2.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Thu, 2022-03-31 at 13:11 -0500, Mike Ruebner via samba
wrote:
> Hi Andrew,
> 
> Yep. That looks like what I want to do. Thanks!
> 
> Please bear with me on a related tangent. For the life of me, I
> cannot figure out a working ldif notation.
Sorry but there isn't one, only the system can change it and then only
after you move the container. Try reading this:

https://docs.microsoft.com/en-us/windows/win32/adschema/a-wellknownobjects

Rowland

The link below provides some interesting details about the preparation for
and results of running Microsoft's redircmp command.

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/redirect-users-computers-containers

Especially this.

 "Note

When Redircmp.exe is run to redirect the CN=Computers container to an OU
specified by an administrator, the CN=Computers container will no longer be
a protected object. This means that the Computers container can now be
moved, deleted, or renamed. If you use ADSIEDIT to view attributes on the
CN=Computers container, you will see that the systemflags attribute was
changed from -1946157056 to 0. This is by design."

So in this circumstance the computers container could actually be deleted.

But the rest of what redircmp does under the hood remains undocumented, at
least on this page.

Hth

Jonathan



On Thu, Mar 31, 2022, 2:26 PM Rowland Penny via samba <samba at
lists.samba.org>
wrote:
> On Thu, 2022-03-31 at 13:11 -0500, Mike Ruebner via samba wrote:
> > Hi Andrew,
> >
> > Yep. That looks like what I want to do. Thanks!
> >
> > Please bear with me on a related tangent. For the life of me, I
> > cannot figure out a working ldif notation.
>
> Sorry but there isn't one, only the system can change it and then only
> after you move the container. Try reading this:
>
> https://docs.microsoft.com/en-us/windows/win32/adschema/a-wellknownobjects
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>