K2000 post install task scripts for domain computer management (Win10)
In our environment all computers are named the service tag (bios serial number). I have a post install powershell that renames computer to bios with wmic command and joins the domain. The issue is if the name exists on the domain it will fail. Our helpdesk can remove computers from the domain but if they forget it causes post task to error (computer object name exists already). So I modified the powershell to
1. Join Domain
2. Remove computer from domain that matches serial number
3. Rename computer to serial number
It all worked until I realized I was testing the script on a machine with RSAT tools which provides the AD module for powershell. A newly imaged machine doesn't have this ability.. and our security disables winrm so I cannot use ps remoting either.
Is there any method to use AD module during post image for these types of tasks? If not possible what kind of scripts can do similar things? I also want the imaged computer to be added to a AD group that enables bitlocker (we only want this on new machines now for testing).
What is best practice for this? Is it possible to perform similar functions with CMD? I think netdom is not supported on Win10 right? I am trying to automate for of our tasks to reduce errors and time. Any suggestions? Thanks!
Answers (2)
The user you are joining the domain with probably needs more rights. We are a college and reimage classrooms all the time. We do not remove machines from AD because the new machines would have to be added to our security and printer groups. Also if the name existed already in the containers where we wanted them the join would use that name vs creating one in the default container and we would have to have to move it. When we get new machines we sometimes have to reset that object in AD.
When that happened here it was the user we used to join the machines to the domain
The AD crew may need to allow that user to modify existing objects, delete existing object as well as create.
We use a simple VBS script and the machines join without a problem in the container we expect
Const JOIN_DOMAIN = 1
Const ACCT_CREATE = 2
Const ACCT_DELETE = 4
Const WIN9X_UPGRADE = 16
Const DOMAIN_JOIN_IF_JOINED = 32
Const JOIN_UNSECURE = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET = 256
Const INSTALL_INVOCATION = 262144
strDomain = "tmccadmn.tmcc.edu"
WScript.StdOut.Write("Enter Authorized User ")
WScript.StdIn.Read(0)
strUser = WScript.StdIn.ReadLine()
Set ScriptPW = CreateObject("ScriptPW.Password")
WScript.StdOut.Write("Enter password ")
strPassword = ScriptPW.GetPassword()
WScript.StdOut.WriteLine ""
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
strComputer & _
"\root\cimv2:Win32_ComputerSystem.Name='" _
& strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _
strPassword, _
strDomain & "\" & strUser, _
NULL, _
JOIN_DOMAIN+ACCT_CREATE)
You might be facing the issue described here:
https://support.quest.com/kace-systems-deployment-appliance/kb/155655/k2000-join-domain-powershell-script-for-when-machine-record-already-exists
In regards Bitlocker, a separate PowerShell Script as Post Install task should do it.