[Samba] Samba 4.13 AD: How to Change Default Computer OU?

Denis CARDON dcardon at tranquil.it
Fri Apr 1 09:03:59 UTC 2022

Hi Mike,

Le 31/03/2022 à 20:11, Mike Ruebner via samba a écrit :
> Hi Andrew,
> Yep. That looks like what I want to do. Thanks!
> Please bear with me on a related tangent. For the life of me, I cannot figure out a working ldif notation. This is what I have on Debian 11.3:

a ldbedit/ADSIEdit shoud do it.

ldbedit -H /var/lib/samba/private/sam.ldb  -b 
DC=sub,DC=mydomain,DC=com-s base

Otherwise, the redircmp works properly.



> ldbmodify -H /var/lib/samba/private/sam.ldb <<
> dn: DC=sub,DC=mydomain,DC=com
> changetype: modify
> delete: wellKnownObjects
> wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=sub,DC=mydomain,DC=com
> -
> add: wellKnownObjects
> wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Machines,DC=sub,DC=mydomain,DC=com
> However, I receive a constraint violation "000020B5: Referenced object not found [...]". Object is definitely there, if multiple. What am I doing wrong here? I know this beyond the scope of my original question, but maybe someone came across the same issue. Any pointers greatly appreciated!
> Bests, Mike
>> See this in the base DN (eg your main domain DN):
>> wellKnownObjects:
>> B:32:aa312825768811d1aded00c04fd8d5cd:CN=Computers,${DOMAINDN}
>> Most clients will honour where this points and create new computers
>> there by default, unless told otherwise.
> Andrew,
> On Tue, 2022-03-29 at 23:13 -0500, Mike Ruebner via samba wrote:
>>> Thanks for your response. Much appreciated. I am aware of the samba-
>>> tool option, but that's, for lack of better words, after the fact.
>>> 'Off the bat' meaning that a newly joined workstation should
>>> automatically end up in the 'Machines' OU instead of the default
>>> 'Computers' OU. In Windows speak, I would be able to achive this with
>>> the 'redircmp' PowerShell command.
>>> Bests, Mike
>>> Not entirely sure I understand what "applied off the bat" means.
>>> Joining the domain won't execute GPO computer settings AFAIK, you
>>> need
>>> to reboot the machine first.  If you have to reboot the machine
>>> anyway,
>>> just use samba-tool right after the domain join:
>>> # samba-tool computer move COMPUTERNAME NEW_PARENT_DN [options]
>>> This command moves a computer account into the specified
>>> organizational
>>> unit or container.
>>> The computername specified on the command is the sAMAccountName,
>>> with or
>>> without the trailing dollar sign.
>>> The name of the organizational unit or container can be specified
>>> as a
>>> full DN or without the domainDN component.
>>>> On 3/23/22 00:22, Mike Ruebner via samba wrote:
>>>> Hi,
>>>> Is there any way to change the default OU for new domain joins? I
>>>> have a couple of GPOs I would like to see applied off the bat
>>>> from a 'Machines' OU.
>>>> Samba 4.13.13-Debian on Debian 11.2.
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list