When using a "Configure Computer" or "Apply System Configuration" task to join client computers to an Active Directory (AD), they do not correctly join when specifying one or more Organizational Units (OUs).

Symantec Agent Logs will show a failure with little or no additional information.

The NetSetup.LOG (default location: C:\Windows\debug\)

A specific syntax must be used when client machines are added to an OU.

Detailed below are a few example cases that show how to use the "Apply System Configuration" task with domain and/or OU joins in the Active Directory. For each of these cases, we will be using an Active Directory with the following structure:

domain.environment.local
└ OU 1
   └ OU 2
          └ OU 3
└ OU A

Case 1 - Joining a client machine to the root of the domain*

• In the "Apply System Configuration" task, select the radio button next to "Domain:"
• Populate the text box with the domain in the following format: domain.environment.local
• Provide the credential area with a domain account with sufficient privilieges to join the client to the domain
• Click "OK"

Case 2 - Joining a client machine to an OU that is one level deep 

• In the "Apply System Configuration" task, select the radio button next to "Domain:"
• Populate the text box next to "Domain:" with the domain in the following format: domain.environment.local
• Populate the text box next to "Organizational unit:" with the OU in the following format: OU 1
• Provide the credential area with a domain account with sufficient privilieges to join the client to the domain and specific organizational unit
• Click "OK"

Case 3 - Joining a client machine to an OU that multiple levels deep

• In the "Apply System Configuration" task, select the radio button next to "Domain:"
• Populate the text box next to "Domain:" with the domain in the following format: domain.environment.local
• Populate the text box next to "Organizational unit:" with the OU in the following format: OU 1/OU 2/OU 3
• Provide the credential area with a domain account with sufficient privilieges to join the client to the domain and specific organizational unit
• Click "OK"

* This can only be done to client machines that are not presently in the domain. If the client is already joined to the domain and in an organizational unit, it cannot be moved to the root of the domain again. It will instead be moved to the lowest-level organizational unit in its current path, e.g., if the client were in OU 3, it would be moved to OU 1.

Applies To

Deployment Solution 7.1 (All builds)