If such a thing is possible, I would like to Delegate control to what would be an OU Admin. That OU Admin would reside inside of the OU which he administers. When this admin joins a computer to the domain, I would like the computer to automatically appear in the OU we have created within this admin's own OU. So we have "Forest\BigDomain\TinyOU" with OUAdmin inside it who joins OUComputer to BigDomain. That computer needs to appear in the "Forest\BigDomain\TinyOU\TinyOUComputers" organization unit. Essentially, whatever OU a specific OU admin belongs to, the computer accounts need to appear in that same OU. Any advice? Pre-creating the computer accounts in the proper OU is on the table, but I am looking for a solution that analyzes the current OU of the admin and creates new computer accounts in that same OU.

Hello, without pre-creating them there is no way to differentiate machines in OUs. The tool REDIRCMP will only specify ONE OU for all joined machines. Or you run scripts that check the computers container and move machines to the required OUs but this still requires manual interaction to assure the machines are in the correct OU. Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

So, just to clarify this for myself... There is *no way* for a user to join a computer to the domain and that computer be automatically moved into an OU based upon any Active Directory attributes that the user may have? Which is to say, that even the custom attributes that can be configured in a user's Active Directory profile cannot in some way be detected and, by policy, direct that's user's joined computers to a specific OU? I must also ask, do you know of any Powershell scripts or script examples that I could use by maybe running them every N minutes to detect and move objects based on the aforementioned attributes and/or requirements?

Hello, you can not use user attributes on the computer object, which basically not exist at the time you join it. And before you can use any attribute the object must exist in AD BEFORE you can trigger something with scripts. I am pretty sure you can use it but questions about powershell you should better ask in http://social.technet.microsoft.com/Forums/en/winserverpowershell/threadsBest regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.