Join Domain KACE script - Delegating AD rights
My AD admin has requested that we delegate rights to our desktop team to each individual computer as it joins the domain. Is there a way to do this as part of the KACE join domain script? My script is currently running successfully on Windows XP machines. I just need to know if I can add the option to delegate AD rights.
Thanks,
awingren
Here's what my scripts look like now:
JoinDomain_x86.bat:
REM ***** Join a Windows x86 computer to the domain
REM ***** Join_Domain.vbs <domain> <DomainUser> <password> <Default domain DNS Server IP> *****
C:\source\Join_Domain.vbs somewhere.net kace **** "OU=kace Workstations,DC=somewhere,DC=Net" 10.1.xx.xx
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d <NULL> /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d <NULL> /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v V1 /t REG_SZ /d "CMD /C \"rd /s /q C:\source\""
Join_Domain.vbs:
Const JOIN_DOMAIN = 1
Const ACCT_CREATE = 2
Const ACCT_DELETE = 4
Const WIN9X_UPGRADE = 16
Const DOMAIN_JOIN_IF_JOINED = 32
Const JOIN_UNSECURE = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET = 256
Const INSTALL_INVOCATION = 262144
If WScript.Arguments.Count < 4 or WScript.Arguments.Count > 5 Then
WScript.Quit
Else
strDomain = WScript.Arguments.Item(0)
strUser = WScript.Arguments.Item(1)
strPassword = WScript.Arguments.Item(2)
strOU = WScript.Arguments.Item(3)
'set DNS IP address
If WScript.Arguments.Count = 4 Then
strDNSIP = WScript.Arguments.Item(3)
Set objShell = CreateObject("WScript.shell")
objShell.Run "netsh int ip set dns ""local area connection"" static "& _
strDNSIP &" primary",0,0
End If
End If
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
strComputer & _
"\root\cimv2:Win32_ComputerSystem.Name='" _
& strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _
strPassword, _
strDomain & "\" & strUser, _
strOU, _
JOIN_DOMAIN+ACCT_CREATE)
Answers (1)
I would use a GPO for this.
http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain
Comments:
-
Thanks, dugullet!
This seems like a better solution to me. I'll talk to the AD admin about that.
-awingren - awingren 11 years ago -
It looks like we already use a GPO for local admin. That GPO doesn't solve for AD computer object delegation. Our AD admin thinks there's a way to just force inheritance instead of including it in the join domain script.
I'll post here if we figure it out.
Thanks again for your help.
-awingren - awingren 11 years ago -
So if your actual need is to delegate administration privileges over the AD objects for the computers, you wouldn't do that for each object, or at least you would not want to do it that way.
Desktops should be in a collection of OUs to which the desktop support team is delegated computer object admin privileges. It makes sense to also delegate computer object management to them for the default computer container so that they can move the desktop computers into the appropriate OUs for long-term management, for those time when they are not being added into the correct containers when joined to the domain. - andy_mcconnell 11 years ago
