OS X Workstations in Active Directory

Can anyone help me with how to query AD to find all OS X workstations? This is for a large enterprise that is mostly Windows Servers & workstations, but with a few Linux servers... and an even fewer number of OS X workstations. I need a (preferably quick and remote) way to find out how many Mac computer objects exist in AD.
I've searched and found a lot of information about integrating OS X into an AD environment, but nothing specific to what I'm trying to accomplish here.
Thanks

This page has a dude doing something similar. Perhaps it is a good starting point. If I understood the article correctly, you could likely obtain what you are looking for by using his code and filtering further as necessary.

Similar Messages

  • Disabling computer account in Active Directory will still allows the workstation to login

    I have a special scenario. A Widows 7 workstation was in lock mode (waiting for CTRL+ALT+DEL). As an administrator, I disabled the computer account, user account and even reset the password for that user and the workstation. My requirement
    is that the user can not login to the workstation again.
    However, the user able to login to the workstation.
    What AD registry parameter could lock down the computer completely? or is there any parameter in GPO that could lock down the computer?
    Thanks in advance.
    Pingala
    SP

    Hello Karen,
    I am testing with the DOMAIN Account, not local account. With your instructions,
    Control Panel\All Control Panel Items\User Accounts\Manage your credentials
    Select the corresponding credential and click Remove.
    I am able to see local accounts and not the DOMAIN account locally cached.
    BTW, I am not seeing "Manage your credentials", instead, I am seeing "Manage Your Accounts" in User Accounts.
    Secondly, I am looking for a setup with AD GPO so that,  for most of the Enterprise Windows 7 workstations, I would like to apply the policy across the board - "Once a workstation is disabled by the administrator, the domain
    user for that workstation can not login again - especially when the workstation is in lock mode.
    The article you cited did not give any technical details that could help me to clean both local and domain credential caching.
    Please help me with the steps how I can disable the caching for local and domain credentials on the workstation to check this manually first.
    Eventually, I would like to disable a "computer" in Active Directory that should lockdown the targeted workstation for further use. Or let me know what steps are needed to lockdown a workstation immediately when a user is fired before further
    damage occurs to the enterprise resources.
    Thanks,
    Pingala
    SP

  • Binding MAC 9.X workstations to Windows 2003 Active Directory

    Hello all,
    Has anyone achieved sucess with adding/binding Mac 9.X workstations to Microsoft 2003 Active Directory? We have 25 iMAC 9.2.2 workstations (we cannot upgrade to MAC OS 10.X because of hardware limitations) on a Windows 2003 SP2 network. I know that it can work with MAC OS 10.X but looking for a OS 9.X solution.
    I want to be able to apply security, printer scripts for the MAC computers using the 2003 Active Directory.
    Thanks
    17" Powerbook G4   Mac OS X (10.4.4)   2 gb ram

    You don't need to do anything in AD other than create the user you want to log onto your Mac.
    http://www.makemacwork.com/bind-to-active-directory.htm

  • 10.4.6 and Active Directory Problem - Volume cannot be found??

    I have bound six 10.4.6 to active directory. All went sweet with no problems. I have "force local home folder" off in Directory Access for AD. I can login to the Mac no problem using any user account from AD. If I login with a user the first time all goes well. The desktop icons show and the home directory is that of the users network home folder and can browse it. All good until I log out and login again. I get the desktop icons but the users home directory give the error "The Volume for %username% Cannot be found" when trying to access. I can browse the network to the user home folder without having to authenticate. The server (2003) shows no login errors, all looks fine. I have upgraded one Mac to 10.4.7 but made no differnce.
    I have installed "services for Mac and Appletalk" on the server but from what I have been told this shouldn't need to be installed but I did as I was getting no where anyway.
    Any ideas?
    PowerPC   Mac OS X (10.4.6)  

    Hi Chris!
    Before I comment, I want to define a couple of things. A "Mac home folder" stores a user's files (Documents, Library, etc.). This home folder can be stored locally on the workstation or it can be stored on a server. A "Windows home folder" is defined in a user's Active Directory account and can be used as the Mac home folder or simply as a network user folder for storage.
    While the idea of a network-based Mac home folder is nice, it can be clunky simply because the entire user experience is dependent on network speed and/or good file synchronization between your server and workstation. As someone who works in a group supporting about 300 Macs, I suggest enabling local home folders and not using a network-based Mac home folder.
    Next, File Services for Macintosh (AFP protocol) built into Windows Server will not support network-based Mac home folders. This is a dead end. You can install a third party product from Group Logic called ExtremeZ-IP, which does support network-based home folders over AFP.
    Therefore, what's happening in your network is that the network-based Mac home folders are being mounted via the SMB protocol, which uses Windows style file sharing. SMB in Mac OS X is good for limited use but I wouldn't recommend it for extensive use, which would include network-based Mac home folders.
    Here's what I suggest for your AD settings: 1.) Enable local home folders. 2.) Connect via SMB. This will keep your users' Mac home folders local to the machine but if their Windows network home folder is properly defined in their AD account settings then these should automatically mount on the Desktop via SMB at login.
    If you can get your Windows home folders to mount automtically on the users' Desktops then you can experiment with synchronization. After logging in, each user can visit Apple menu --> System Preferences... --> Accounts and the synchronization options will be available. A user can synchronize all or part of his local Mac home folder to his mounted Windows home folder.
    Hope this helps! bill
    1 GHz Powerbook G4   Mac OS X (10.4.7)  

  • Java/Active Directory problem

    I have a strange problem. We have an application that we login to through a website. The application requires Java 1.42_9 to run properly. These workstations came from Dell with java 1.50_6 preloaded which I removed infavor of the required 1,42_9. Everything works normally when a user logs into the the workstation (WinXP SP2) as the local adminstrator. The problem arises when a user logs into the machine with an Active Directory account. We trying to run the website to login to our application and all we get is the Red X in the upper left hand corner of the screen. There is nothing in the Java console, it seems like java does not even attempt to start. I am not sure what Active Directory has to do with this but as long as we log in as a local admin everything works great. If I load Java 1.50_6 back on the workstation it works but it takes over two minutes for Java to load which is unacceptable. I have also tried 1.50_7 but it too take too long to load.
    Sorry for the long winded post, but Im hoping someone has suggestions on why logging into Active directory causes 1.42_9 to fail.

    Your problem is your use of these two combinations
    constrains.setSearchScope(SearchControls.SUBTREE_SCOPE);
    ctx.search("", "(objectclass=*)", constrains); Many LDAP servers, including Active Directory, do not permit subtree searches from the root.

  • I am getting a Changing Password Failed error when I try to join an active directory

    I had a working AD configuration under Snow Leopard. When I upgraded to Mountain Lion, my account was no longer in sync with the domain. I got the red dot on the login screen and my domain password was out of sync. I unhooked from the domain at that point. This was several months ago.
    However, over the last few weeks, I keep finding myself locked out of the domain. I suspect it's something on my Mac that is trying to use my old credentials. I was hoping to rejoin the domain and see if I could get my account back in sync. When I get a domain admin to enter his password on the Directory Utility join screen, it first notes that the computer account already exists in the domain. I tell it to continue, but I can't get past this point:
    2013-06-24 14:21:20.729935 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - Computer account either already exists or DC is already Read/Write
    2013-06-24 14:21:20.732774 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - existing record found 'CN=MYMACHINE,OU=Default,OU=Workstations,OU=MyCity,OU=North America,DC=GLOBAL,DC=OURCORP,DC=NET'
    2013-06-24 14:21:20.732822 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - switching to cache 'MEMORY:0x7faef36ed770'
    2013-06-24 14:21:20.733141 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service kdc for realm GLOBAL.OURCORP.NET flags 2
    2013-06-24 14:21:20.734196 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
    2013-06-24 14:21:20.734221 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kerberos (1.2.3.4)
    2013-06-24 14:21:20.741380 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kerberos (1.2.3.4)
    2013-06-24 14:21:20.741416 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
    2013-06-24 14:21:20.741619 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password
    2013-06-24 14:21:20.741637 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - trying to set password using: MS set password in realm GLOBAL.OURCORP.NET
    2013-06-24 14:21:20.741648 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - using TCP since the ticket is large: 1560
    2013-06-24 14:21:20.741665 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Trying to find service change_password for realm GLOBAL.OURCORP.NET flags 2
    2013-06-24 14:21:20.742867 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to 12
    2013-06-24 14:21:20.742908 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - connecting to host: tcp 10.22.94.212:kpasswd (1.2.3.4)
    2013-06-24 14:21:20.745231 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - host completed: tcp 10.22.94.212:kpasswd (1.2.3.4)
    2013-06-24 14:21:20.745250 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - krb5_sendto_context done: 0
    2013-06-24 14:21:20.745398 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - set password using MS set password returned: 0 result_code 3
    2013-06-24 14:21:20.745417 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - krb5_credential - Changing password failed for '[email protected]' with error '' (3)
    2013-06-24 14:21:20.745426 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - setting Computer Password FAILED for existing record - 5103
    2013-06-24 14:21:20.745818 EDT - 4934.65016, Node: /Active Directory, Module: ActiveDirectory - ODNodeCustomCall failed with error 'Credential operation failed' (5103)

    Reggierror,
    Had the same issue and discovered that I made my AD object name too long (16 instead of 15 character which is the limit) You might want to try making the computer object name shorter if you can.

  • Beginners guide to integration with Active Directory?

    Hi (complete beginner to this, but a quick learner)
    I don't know where to start with regards to getting the Macs on our network connecting like the PCs. Currently we have about 100 Macs on 10.4.x that are bound to the AD using Directory Access - users can log in, but that's about as far as integration goes. Their home folders do not "map" to the corresponding folders on the Macs, and we (as administrators) have no control over the Mac network users like we would have the local Mac users.
    I've been asked to look into this issue, and along with creating new modular 10.5.x system builds for all our Macs (different hardware, different software needs, different physical locations), I need to know what the next steps are. I have no experience of using Mac OS X Server or Active Directory. Besides telling me to ask the IT department to hire a Mac professional, what should I be looking into next?
    So far, this is how I think the process goes:
    1) Ensure I have solid modular system builds ready to go for the different macs/different classrooms.
    2) Get an Xserve for IT.
    3) Have Open Directory integrate with Active Directory, so that the same access controls/permissions are applied to the Mac users as they are the Windows users (including Finder access controls, Application controls, folder mapping etc) - *this is where I need guidance*.
    4) Push out the system builds to the Macs on the network
    5) Connect the Macs using Open Directory...
    6) ...
    As you can see, my knowledge kind of peters out towards the end there; is this a realistic undertaking for me (a classroom technician who happens to use Macs - NOT trained in any of this) and the Mac-phobic IT department (who would prefer switching all of our workstations to PC)? Are we going to have to bite the bullet and get some expensive consultants in?

    pisto_grih wrote:
    Hi (complete beginner to this, but a quick learner)
    I don't know where to start with regards to getting the Macs on our network connecting like the PCs. Currently we have about 100 Macs on 10.4.x that are bound to the AD using Directory Access - users can log in, but that's about as far as integration goes. Their home folders do not "map" to the corresponding folders on the Macs, and we (as administrators) have no control over the Mac network users like we would have the local Mac users.
    And that is about as far as the Apple plugin will take you. In order to do more you need to either extend schema (very scary), look at third party products like Centrify (very expensive), or look at getting an OS X Server and implementing the "magic triangle" in which OS X attributes are managed in OD while users, groups, and password are managed by AD.
    I've been asked to look into this issue, and along with creating new modular 10.5.x system builds for all our Macs (different hardware, different software needs, different physical locations), I need to know what the next steps are. I have no experience of using Mac OS X Server or Active Directory. Besides telling me to ask the IT department to hire a Mac professional, what should I be looking into next?
    If you go the route of OS X Server and MCX settings, make life easy on yourself and build one common build. Then limit app access based on your groups. That way you can simplify the number of images you maintain down to one (provided you have appropriate licensing).
    So far, this is how I think the process goes:
    1) Ensure I have solid modular system builds ready to go for the different macs/different classrooms.
    See above. But if you need to, look at InstaDMG
    2) Get an Xserve for IT.
    Yep. But if you are only doing MCX you might want to look for a cheeper alternative. The Xserve can offer some nice additions, including software update server and Netinstall server among others.
    3) Have Open Directory integrate with Active Directory, so that the same access controls/permissions are applied to the Mac users as they are the Windows users (including Finder access controls, Application controls, folder mapping etc) - *this is where I need guidance*.
    Yep. You are on the money.
    4) Push out the system builds to the Macs on the network
    Push huh. Look at Radmind. Then take a summer off to learn it. Then become god.
    5) Connect the Macs using Open Directory...
    Actually, connect the macs to both AD and OD. This will allow authentication and instantiating through AD and management through OD. Works very well.
    6) ...
    As you can see, my knowledge kind of peters out towards the end there; is this a realistic undertaking for me (a classroom technician who happens to use Macs - NOT trained in any of this) and the Mac-phobic IT department (who would prefer switching all of our workstations to PC)? Are we going to have to bite the bullet and get some expensive consultants in?
    It is learnable especially with the summer and available hardware. However, supporting the consulting industry is always nice http://consultants.apple.com
    Hope this helps

  • Not able to open active directory user and computer in windows server 2008r2

    Hi All techies,
    i would like to know one issue which i am facing mostly, i have created 5 virtual machine all with window server2008r2 and one windows 7 on vm-ware now when ever i start my virtual machines everything going rite but when i try to open active directory user/
    computer or domain and trust i get a following error "data from active directory user and computers is not available from dc(null) bcoz unspecified error" even when i chk in events log its give me no help, and after 15-30 min everything works good
    Please let me know the cause of it and really appreciate it .
    Thanks
    Atul

    You need to ensure that
    1. group policy that says "wait for network before logon" is applied to all computers including servers and workstations is applied
    2. DNS record exists for all DCs in DNS
    3. If there are multiple Domain Controllers in Forests, then they point them as secondary DNS server. This way they will be able to resolve IPs if local DNS server service takes time to start.
    As Chris mentioned, you need to start all DCs first, give a time of 5 minutes and then start member servers and workstations for successful logon.
    - Sarvesh Goel - Enterprise Messaging Administrator

  • Active Directory Time Error

    The last 3 days or so random Macs from our 350 or so here have been falling off our Active Directory domain. When trying to unbind/rebind them Directory Utility tells me all about how AD "only permits slight variations between clocks on your computer and the AD server." This I know - Kerberos will only allow up to 5 mins difference between a workstation and the server. For this reason we sync the server (main domain controller) with a network time service, and sync all workstations and other servers to that server. This has never been a problem, and indeed works fine - the time on the workstation exactly matches the server time/time zone/date, etc.
    So why is the AD plugin (and Kerberos) telling me that the clocks are out of sync when they patently are not?
    This is happening with Macs of all kinds - 10.3 to 10.5, Intels, PPCs, everything.
    My current workaround is to stop the Mac getting its time from the server, changing the clock by a couple of seconds, and then re-binding. This generally works. The odd ones that this doesn't work on, or that fall off the domain again within 24 hours, I've removed from AD and have given local logins to for now. I'm getting to the point where I just want to scrap AD integration and get every machine locally authenticating!
    Our AD guys swear there have been no patches or changes on their end. I am equally certain there have been no changes to the Macs. So what could it be???

    Thank you, this has (again, indirectly) solved the problem. I had asked out network administrator to check the time on both domain controllers a couple of weeks ago when the issue started. He had only checked the primary, assuming that the second DC was syncing time with that. Your helpful post prompted me to go check it myself and found a 6 minute difference between the two. Manually resetting the second DC to the same time as the first fixed the problem.
    Now Mr Network Admin is left with the task of working out why dc2 isn't getting the right time. Me, I'm thankful that it's not my problem any more and just have the task of rebinding 60 or 70 machines.
    Thanks!

  • Active Directory & Open Directory integration

    Hello,
    Here is the scenario I would like to accomplish. let me know if its possible or not.
    Currently I have a cluster of domain controllers on a fairly large Active Directory domain. We have a lot of mac clients that are running totally independant and want to get them on the domain.
    On the mac side, we want to run some mac services such as ichat server and get some of the other open directory features.
    So is it possible to do this:
    (Ad Domain) - one way replication -> (OD server) -> Mac Clients
    Basically I would like to have an OpenDirectory server for the mac workstations, is there anyway to replicate all the users from the AD server? Then be able to specify the mac related options such as ichat on the OD server? Maybe I am going at this the wrong way, let me know!
    Thanks
    Nick
    xServe   Mac OS X (10.4.6)  

    Hi dani190,
    are you using the fully qualified domain name of the network server? ie if your server is bob. and your domain is domain.company.com. then the FQDNS would typically be bob.domain.company.com or bob.company.com.
    If the FQDNS works, then have you checked in the AD to make sure the path to the network home folder uses the FQDNS?
    For the contact search path, did you put the AD at the top the list? (in directory utility)
    Did you set the WINS work group on your client computer to your domain?
    ie:Apple Menu, System Preferences, Network, Active Network Port (ethernet and or airport) , Advanced Button, WINS Tab, set workgroup to the name of your domain. ie domain.company.com and or company.com

  • User login report in Active Directory for specific date and time

    I want to get User login report in Active Directory for specific date and time e.g user logged in at15-01-2015 from 8:00am to 4:00pm
    Is any query, script or any tool available?
    Waiting for reply please

    You can identify the last logon date and time using my script here: https://gallery.technet.microsoft.com/scriptcenter/Get-Active-Directory-User-bbcdd771
    If you would like to get back in time and see when the user did a logon / logoff then you need to have auditing enabled. Once done, you can records from Security log in the event viewer: https://social.technet.microsoft.com/Forums/windowsserver/en-US/98cbecb0-d23d-479d-aa65-07e3e214e2c7/manage-active-directory-users-logon-logoff-events
    I have started a Wiki about how to track logon / logoff and it can help too: http://social.technet.microsoft.com/wiki/contents/articles/20422.record-logon-logoff-activities-on-domain-servers-and-workstations-using-group-policy.aspx
    This posting is provided AS IS with no warranties or guarantees , and confers no rights.
    Ahmed MALEK
    My Website Link
    My Linkedin Profile
    My MVP Profile

  • Active Directory and Windows Share

    I have several Mac labs that are working perfecting with the Active Directory client in OS X 10.4.9. I recently made a change to the client and am now creating local home folders for users. Using the network home folders slowed the boot process and affected certain applications when pref files were not deleted properly from the Windows share.
    What I would like to do now is have 2 or 3 windows shares mounted automatically for ALL users who log into a computer. Ideally the mounts should be done with the username and password of the user who just authenticated.
    Does anyone have any suggestions on how this could be accomplished?
    Thank you.

    This should be possible using Mac OS X Server in a Golden (or Magic) Triangle scenario with your Active Directory network. This means your Macs would use AD for authentication but your Mac OS X Server would control workstation settings such as auto-mounting drives. The settings could be applied to users and groups from Active Directory.
    Hope this helps! bill
    1 GHz Powerbook G4   Mac OS X (10.4.9)  

  • Can't connect to Small Business Server 2003 via Active Directory

    I have done lots of searching, both in these forums and the wider internet, and cannot find a solution to my specific problem.
    I am trying to connect my G5 (10.3.9) to a Windows network. We have a Microsoft Small Business Server 2003 with Active Directory. The PCs have no problem using this, and I can connect to shares setup on the server via AFP.
    But I am having problems when I try to configure the AD plug-in in Directory Access on the Mac. When I click 'Bind', I enter the Server's Administrator username & password and when I click 'OK', it gets to Step 3 of 5 "Verifying Credentials". It ticks away at this step for about 30 seconds, then comes up with error message saying "Invalid user name and password combination."
    I have tried other users with admin privileges, but they don't work either. I know the usernames and passwords aren't invalid, because I created them. I have tried fiddling around with other settings in the AD setup, but nothing gets any further.
    Without any other 3rd party software (that's my final option), is there something I need to check/change, either on the Mac or the server, to make this Mac to authenticate via AD? Please help!

    Hi Andbrowny, thanks for your response.
    Your advice didn't really help my Active Directory problem (AD doesn't require SMB does it?), but it gave me some progress on my SMB problem. I can connect via AFP, but previously when I tried to connect via SMB, it kept coming up with the error "Could not connect to the server because the name or password is not correct".
    Now, after changing the policies on the server, I get an error -43 message saying "The operation could not be completed because one or more required items cannot be found."
    So now I have two problems! SMB is not finding something it needs, and Active Directory is not "verifying credentials".
    Actually, I have three problems: When I am connected via AFP, filenames over 31 characters long are truncated on the server, and I can't copy long filenames onto the server without renaming them. I have read that SMB would fix this to a degree (256 characters for the complete file path), but is there anything (a protocol or software) that allows long filenames to be read/written with ease?
    Side note: The server is not 100% configured, the bloke installing it still has some work to do, but Active Directory works for all the XP machines, and I can connect to each XP workstation with SMB.

  • Creating active directory users with dscl

    Our mac workstations (OSX 10.8) are bound to a 2008 Active Directory server.  We are attempting to use some existing dscl scripts on the mac client computer to create Active directory users.  We can successfully read and change AD attributes of an existing user with dscl, but creating new users or new attributes for an existing user gives us an error.  Here are some examples.
    SUCCESSFUL READ OF AD USER ATTRIBUTE:
    root# dscl -u administrator  "/Active Directory/CXAD/All Domains" -read /Users/jholmes SMBHomeDrive
    Password:
    SMBHomeDrive: H:
    root#
    SUCCESSFUL DELETE OF ABOVE USER ATTRIBUTE
    root# dscl -u administrator  "/Active Directory/CXAD/All Domains" -delete /Users/jholmes SMBHomeDrive
    Password:
    root#
    FAILED ATTEMPT AT RE-CREATING THE DELETED ATTRIBUTE
    root# dscl -u administrator "/Active Directory/CXAD/All Domains" -create /Users/jholmes SMBHomeDrive
    Password:
    <main> attribute status: eDSInvalidRecordType
    <dscl_cmd> DS Error: -14130 (eDSInvalidRecordType)
    root#
    The same error occurs when attempting to create a new user.  Any ideas?  Thanks in advance for any suggestions.

    In the end I could not find them; account info is ONLY stored locally in Open Directory when they have mobile accounts.
    However, I found I could migrate their user directories in Terminal via ditto ( I connected the old macs via Firewire Target mode) , and when they log in all their stuff and settings are there.
    the command is: ditto /Volumes/<old mac hard drive>/Users/<username> /Users/<username>

  • Best way to implement active directory in multiple locations

    Hi,
    Currently we don't have an active directory domain and looking in to configuring a test setup for it.
    We have 6 countries and in some countries we have 2 to 3 sites. There is a constant VPN connection between all the locations.
    Our users are travelling between the sites. IT is managed from a central location and have one IT responsible on each site which also have to create / modify users. 
    Should we go for one domain with a domain controller in each site? Or should we go for a parent DC at central location with child DC (sub domains) at the other sites?
    What are the pro's and cons of each scenario?
    Kr,
    Joeri

    Hi jfeyen,
    I think you have some misunderstanding about OU and site in AD.
    OU is the purpose container that can be used to group most other object classes together for administrative purposes. An organizational unit in Active Directory is analogous to a directory in the file system; it is a container that can hold other objects.
    And it represent the logical structure of your organization as domain.
    Sites in Active Directory represent the physical structure, or topology, of your network. Active Directory uses topology information, stored as site and site link objects in the directory, to build the most efficient replication topology. A site is a set
    of well-connected subnets. Sites differ from domains.
    For your information, please refer to the following articles:
    Organizational Units
    http://technet.microsoft.com/en-us/library/cc978003.aspx
    Sites overview
    http://technet.microsoft.com/en-us/library/cc782048(v=ws.10).aspx
    So if a user or a computer connected to the domain, he will be located in the OU which is configured. And this will not change except the configuration changes.
    As for the question If we use site & services our workstations will automatically find the right DC?, please refer to the following article:
    Finding a Domain Controller in the Closest Site
    http://technet.microsoft.com/en-us/library/cc978016.aspx
    Regards,
    Lany Zhang

Maybe you are looking for

  • To display the output of a FM inside a tree

    Hi all, 'REUSE_ALV_POPUP_TO_SELECT'  is a FM for displaying or selecting table entries in internal tables in a popup . I need to display the output if this FM inside a tree. That is when i expand the tree ,  the output of the FM shoul be displayed .

  • HT4528 Problem with messages

    Since upgrading to the most current system - iO6, my messages have not worked right. Yesterday out of the blue, I couldn't reply or send a text to anyone that has an iPhone .. the keyboard was grayed out. Today the same thing, was working ok then whe

  • Filename is incorrect

    I exported a playlist from iTunes to a cd but when I want to import it again, I get error messages on files with non-character symbols in them. Cannot copy 024 Don't You Want Me?: The filename, directory name or volume label syntax is incorrect. Obvi

  • LMS 4.2.1 restore question.

    Dears, I  need your help in verifing the restore command for LMS 4.2.1 in windows server:                   the command: C:\Program files (86)\CSCOpx\bin} perl.exe backup.pl -d C:\bkp where the bkp is the backup folder? Kindly confirm if this is corr

  • EA4500 Firmware Ver: 2.1.38.138880 fails to install

    I have tried twice to upgrade my Firmware from Ver: 2.1.38.138827 to Ver: 2.1.38.138880  Both attempts have failed (Let them sit for over 10 Mins with the Flashing Cisco Logo).  To get my router back to a usable state (I found an unbrick thread on an