Back to basics: How can I move computers to a new OU in Active Directory during an in-place upgrade using SCCM (System Center Configuration Manager)

Introduction

Continuing the back to basics blog series, and this time addressing how you can move the computer object in AD (Active Directory) from one OU (Organization Unit) to another during an in-place upgrade of Windows. A good guess is, that this will be relevant for a lot people working with WaaS (Windows as a Service), where putting the computers into a new and fresh OU, with some new and fresh Group Policies might be needed.

This is all done using a web service and powershell. Curious? Continue reading 🙂

Web Service

As mentioned, this is based on using a web service. It might seem scary to someone, but its actually really easy to put to use. Below are the details:

  • First of all, you obviously need the web service installed and functional. My example is based on Nickolaj Andersen’s web service. The installation is well documented alongside the download: http://www.scconfigmgr.com/configmgr-webservice/
  • The installation is literally next, next, next and done

Once the web service has been installed, the prerequisite for this option is to grant the service account access (the identity account), to allow moving of computer objects in Active Directory in the desired OUs.

Taking a closer look at the Advanced Settings of the ConfigMgrWebService Application Pool will reveal the account used (in case you didn’t do the installation yourself, or somehow forgot which user that’s running the web service). See below.

Active Directory

  • To give the account used in the web service permissions to move computer objects in Active Directory, right click on the top level OU where the computers exists and select Delegate control. In below illustration, that is the Workstation OU

  • Add the account as shown below

  • Select to Create a custom task to delegate. Also as illustrated below

  • Select This folder, existing objects in this folder and creation of new objects in this folder

  • Select: Creation/deletion of specific child objects and select Create Computer objects and Delete Computer objects

  • Next up is to delegate some additional custom permissions. This is done by bringing up the Advanced Security Settings page for the targeted OU. In my scenario the Workstation OU. Most SCCM admins should be familiar with this settings page already.
    • Edit the permissions for the SCCM_WS account and select to apply your additions to Descendant Computer objects as highlighted below

  • Select the following permissions in the Properties section:
    • Read personal information
    • Write personal information
    • Read public information
    • Write public information

Powershell

Nickolaj is kind enough to provide us with some Powershell samples included in the web service. I have made some changes to the included sample. Copy/paste the script below or make your own edition if needed.

  • Insert your own SecretKet from the web service
  • Modify OU to suit your need
  • Insert your own URL to the web service
  • Save the script into a package in SCCM

Task Sequence

Put everything to use in your task sequence. That includes creating the package containing the script, as well as adding the Run Powershell Script step to your task sequence.

Below illustrates the use in one of my task sequences.

Enjoy 🙂

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.