You could, I'm sure, use 3 of the available custom fields within AD, and populate them with a status word, and use a script or third party tool to automate the process. The logic flow is as follows:
1.) Change Custom Field 1 to In Transit or something. 2.) Set the second field to the target domain name and leave blank if same name. 3.) Set the third field to the target OU. 4.) A scheduled job runs across all domains and finds all user objects where the 1st custom field is "In Transit". Once it's found all the objects it does a bulk move of them to the new OU and possibly initiates a MB move depending on Exchange Admin groups/security boundaries. 5.) Doing cross domain moves might be a bit more complicated and will probably need a 3rd party tool of some sort such as NetIQ Migration Suite or something similar. However the same logic applies. Anyone else got any ideas? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 04 March 2005 11:14 PM To: [email protected] Subject: RE: [ActiveDir] User moves in a large environment It also solves the security issue(s) for what it's worth. That way OU owner permissions don't need to be modified and you can still accomplish the tasks at hand. Like I said, fun stuff to get into. I'm sure there's plenty more detail, but based on the problem presented I think that can help solve the issue and reduce the error rate while reducing the administrivia as much as possible in the given environment. Was there something else that needs to occur that we're not aware of that would change this proposed solution? I would guess that there are other ways to solve this as well; this was just one idea. -ajm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil Sent: Friday, March 04, 2005 4:08 PM To: [email protected] Subject: RE: [ActiveDir] User moves in a large environment In that case than I think Al is on the right track: go with an automated workflow approach so that there doesn't need to be any admin intervention. A typical approach I think would be a good idea is to queue those changes up and process them all once a night. Follow whatever workflow makes sense for your group, but a web based utility with some approvals required (as Al mentioned) is probably the right way to deal with this. That takes the workload off the Admins and places it on the users. Phil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Friday, March 04, 2005 4:03 PM To: [email protected] Subject: RE: [ActiveDir] User moves in a large environment 15000 users moving at any one time was a conservative estimate. Most users are Military and Government > -------- Original Message -------- > Subject: RE: [ActiveDir] User moves in a large environment > From: "Mulnick, Al" <[EMAIL PROTECTED]> > Date: Fri, March 04, 2005 1:10 pm > To: [email protected] > > 15000 users on the move at any given time? > > Anyway, for the move between OU's, have you considered a self-serv app > or something that's (semi)automated inside of the move process? I > haven't been in that large environment in a while, but seems that > might make sense for between OU movement at the least. That would > take the process rights from the OU owners up to another level for > workflow etc. I would guess that something that had an approval > process would work (i.e. Request to move > user1 from OU1 to OU2 -> ask OU2 owners for approval first) and so on. > Might be controlled by your move coordinators or however that fits in > your process. > > Domain moves: I could see using an automated or semi-automated process vs. > the current hand-off process if your structure is stable enough to do so. > It might be that it removes the account object and moves it to the > staging OU in the target domain and sends a task, email or whatever if > that's what you need. Workflow checks and balances for this as well. > > You will want to capture mail data and attributes I would guess but > that depends on the move criteria and depth I would imagine. > > Automating it would make much more sense and you could orchestrate a > series of events that are automated and checked to gather the > appropriate information (files, attributes you intend to keep, etc) > and move it where it belongs. > > Some of this would depend on the current provisioning processes you > keep as to how you integrate it. > > These are the fun types of problems to solve :) > > > My $0.04 anyway, > > Al > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Daniel > Gilbert > Sent: Friday, March 04, 2005 2:47 PM > To: [email protected] > Subject: [ActiveDir] User moves in a large environment > > To All: > > (Sorry for the long post) > > I was wondering what everyone uses to facilitate user moves in a large > environment? > > Scenario: Root domain with six (6) child domains. Each child domain > has between thirty (30) to sixty (60) OUs. These OUs are geographic > locations spread around a region. Each OU is managed by an IT Team > that only has rights to their OU, IT Teams do not cross manage to other OUs. > > I need to develop or discover a way to facilitate user moves from one > (1) OU to another in the same domain and to another domain. Our > environment should have about 300,000 users and about five (5) percent > is on the move from one (1) OU to another or from one (1) domain to another. > > In the old days, pre-2000, the process was to delete the user when > they departed and recreate the user when they arrived. > > We do not yet have Exchange 2003 deployed but I can see it happening > very very soon. > > Using a whiteboard (allows lots of erasing) I devised a OU structure > that allowed the departing IT Team to place the user into an > OutProcessing OU once the departing user fully outprocessed their > current home. (I figure the departing user is removed from every > domain security group except the Domain Users group). > > ATAMO > > The user is moved from the OutProcessing OU in one domain to the > InProcessing OU of another domain. The user arrives at their new > location, the local IT Team retrieves the user from the Inprocessing > OU and places them in their new Home OU. > > Now, my PHBs have freaked out because we are not staffed for this kind > of mission but, the customers are screaming at us to provide this > service. I know I can permission the OUs to allow SOMEONE the rights > to move users from one OU to another, even if the OU resides in a > different domain. But the PHBs are screaming they do not want to take > on this kind of mission, their thought is to continue to do things like we "did in the past". > > I guess my main question is this: is anyone else required to move > users around in a large environment and if so, how are they doing it? > > TIA > > Daniel > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
