Remove machine from AD in PE
Looking for a way to get the computers machine name before imaging and run a VB script to remove that machine account from AD. I tried to do this via command line by getting the Machine name from HKLM\System\controlset001\control\computername and passing that through to dsquery and dsrm but windows PE cannot use dsquery or dsrm so that's out the window. The batch command I used to get the name is:
@echo off
reg LOAD HKLM\SYSTEM_00 C:\system32\config\SYSTEM
for /f "tokens=2,*" %%a in ('reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName /v computername ^| findstr computername') do SET NAME= %%b
That may help someone but I doubt it.
as far as the VB script KACE has the premade "GetComputerName.vbs" which writes the existing computername to a file on the T: drive \petemp. I've found some documentation on removign machines from AD using VBS Example:
strComputer = "atl-pro-040"
set objComputer = GetObject("LDAP://CN=" & strComputer & _
",CN=Computers,DC=fabrikam,DC=com")
objComputer.DeleteObject (0)
That looks like it would delete a machine if the name was preset, not based off a variable. The problem is my VBS knowledge is basically zero so even though I know where the machine name is stored by the pre-made KACE script I have no idea how to call it or how to script the function of plugging in that name as a variable for the strComputer variable in VBS.
Any help would be appreciated.
@echo off
reg LOAD HKLM\SYSTEM_00 C:\system32\config\SYSTEM
for /f "tokens=2,*" %%a in ('reg query HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName /v computername ^| findstr computername') do SET NAME= %%b
That may help someone but I doubt it.
as far as the VB script KACE has the premade "GetComputerName.vbs" which writes the existing computername to a file on the T: drive \petemp. I've found some documentation on removign machines from AD using VBS Example:
strComputer = "atl-pro-040"
set objComputer = GetObject("LDAP://CN=" & strComputer & _
",CN=Computers,DC=fabrikam,DC=com")
objComputer.DeleteObject (0)
That looks like it would delete a machine if the name was preset, not based off a variable. The problem is my VBS knowledge is basically zero so even though I know where the machine name is stored by the pre-made KACE script I have no idea how to call it or how to script the function of plugging in that name as a variable for the strComputer variable in VBS.
Any help would be appreciated.
0 Comments
[ + ] Show comments
Answers (10)
Please log in to answer
Posted by:
cserrins
13 years ago
matiasm,
So wouldn't the strComputer be
strComputer = %NAME%
since that is the variable of computername that you found in the registry.
If that doesn't work, let me know, I bet we can do something in AutoIT. I already have the getcomputername part working ;)
We would just need to play with the AD part.
So wouldn't the strComputer be
strComputer = %NAME%
since that is the variable of computername that you found in the registry.
If that doesn't work, let me know, I bet we can do something in AutoIT. I already have the getcomputername part working ;)
We would just need to play with the AD part.
Posted by:
mlathrop
13 years ago
Posted by:
cserrins
13 years ago
you could use wsname to take care of this for you using the following switches
/RCID Rename Computer in Domain
/USER: Name of user with rights to perform the /RCID operation
/PASS: Password of user with rights to perform the /RCID operation
/DELETEEXISTING For use with /RCID, will attempt to delete an existing account with the new name
so:
wsname.exe /N:companyname-$SERIALNUM /rcid /user:username /pass:password /deleteexisting
Corey
/RCID Rename Computer in Domain
/USER: Name of user with rights to perform the /RCID operation
/PASS: Password of user with rights to perform the /RCID operation
/DELETEEXISTING For use with /RCID, will attempt to delete an existing account with the new name
so:
wsname.exe /N:companyname-$SERIALNUM /rcid /user:username /pass:password /deleteexisting
Corey
Posted by:
matiasm
13 years ago
Well the top line of code is a batch script, the bottom stuff is generic VB Script I found online, how would one go about running all of that at once and passing the batch script variable to the VB Scripts? Also like I said I don't know how to even script in VB I don't even know if the code linked really works. That example looks like it looks into a specific container for a machine account whereas I'd like my script to parse the entire AD structure to make sure it deletes the machine if it exists no matter where it resides in AD, I assume something like this would work:
strComputer = %NAME%
set objComputer = GetObject("LDAP://DC=DOMAIN,DC=net")
objComputer.DeleteObject (0)
but when I try that I get an error of Line 4 Char1 "The Server is unwilling to process the reuqest". Which to me suggests invalid credentials (of which I don't know how to pass into a VB Script) [:@]
Funny you mention Autoit, I started playing that as well haven't gotten very far other than:
#include <adfunctions.au3>
#include<array.au3>
$compname = RegRead("HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName", "Computername")
_AD_Open ( "user" , "pass" , "domain" , "DC")
_AD_DeleteObject= $compname
Which might work eventually, calling the regread of an offline reghive is the first hurdle I see. I think the VB Script will and I think I'd like to stick with that since it seems to be furthest along.
strComputer = %NAME%
set objComputer = GetObject("LDAP://DC=DOMAIN,DC=net")
objComputer.DeleteObject (0)
but when I try that I get an error of Line 4 Char1 "The Server is unwilling to process the reuqest". Which to me suggests invalid credentials (of which I don't know how to pass into a VB Script) [:@]
Funny you mention Autoit, I started playing that as well haven't gotten very far other than:
#include <adfunctions.au3>
#include<array.au3>
$compname = RegRead("HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName", "Computername")
_AD_Open ( "user" , "pass" , "domain" , "DC")
_AD_DeleteObject= $compname
Which might work eventually, calling the regread of an offline reghive is the first hurdle I see. I think the VB Script will and I think I'd like to stick with that since it seems to be furthest along.
Posted by:
rmeyer
13 years ago
I'm almost 99% sure that you cannot access AD via KACE's WinPE, I looked into it when I wanted to create my naming script so it would do a check in AD before nameing the PC and then use the next number in the row.
(our nameing standard is [CC][TT][NUMBER]
CC being Country Code
TT Type (PC/LT/VM) PC, Laptop, VMware
Number is just increesing for each pc)
If you wanna access AD from WinPE then you need to import a module, and that is not possible in KACE since it's done automaticly
I had to create a sql database with all the names in and look into that and find the names in that.
But you should be able to add a PC to AD that already exist if the rights in AD is correct
(our nameing standard is [CC][TT][NUMBER]
CC being Country Code
TT Type (PC/LT/VM) PC, Laptop, VMware
Number is just increesing for each pc)
If you wanna access AD from WinPE then you need to import a module, and that is not possible in KACE since it's done automaticly
I had to create a sql database with all the names in and look into that and find the names in that.
But you should be able to add a PC to AD that already exist if the rights in AD is correct
Posted by:
cserrins
13 years ago
rmeyer,
You are correct. However, I have just updated my KBE_direct script so that you can build a KBE that has ADSI built in to it, this will (I tested) allow you to access AD!!!
Now we need to start discussing the possibilities!!
Contact me if you want to try it out and are willing to post results back so we know everything is working 32/64bit, etc, etc.
Corey
You are correct. However, I have just updated my KBE_direct script so that you can build a KBE that has ADSI built in to it, this will (I tested) allow you to access AD!!!
Now we need to start discussing the possibilities!!
Contact me if you want to try it out and are willing to post results back so we know everything is working 32/64bit, etc, etc.
Corey
Comments:
-
Hi Corey,
Do you have any VBS templates for connecting to and effecting changes in AD through this method? I have create a KBE with ADSI drivers using your KBE manipulator, but attempts at actual changes (delete computer account in AD) have failed :(
-Matt - muebel 12 years ago
Posted by:
snissen
13 years ago
I don't know if this will help, but a friend directed me to these command line utilities, and the Joeware site comes highly recommended:
http://joeware.net/freetools/tools/adfind/index.htm
http://joeware.net/freetools/tools/admod/index.htm
http://joeware.net/freetools/tools/adfind/index.htm
http://joeware.net/freetools/tools/admod/index.htm
Posted by:
rmeyer
13 years ago
ORIGINAL: cserrins
rmeyer,
You are correct. However, I have just updated my KBE_direct script so that you can build a KBE that has ADSI built in to it, this will (I tested) allow you to access AD!!!
Now we need to start discussing the possibilities!!
Contact me if you want to try it out and are willing to post results back so we know everything is working 32/64bit, etc, etc.
Corey
Sweet :)
If only I had some more time to do the testing I would love to but I'm a bit to busy at the moment making win7 ready for deployment, if I run into something that would make sense I'll drop you a PM :)
Posted by:
mikesharp1
11 years ago
This is what I do.
First query for the machine..
dsquery computer dc=test,dc=com -name %computername% > T:\dsrm.log
Next for loop then remove
for /f %i in (t:\dsrm.log) do dsrm %i /y
Comments:
-
you will need dsrm and dsquery in your t:\ drive for winpe - mikesharp1 11 years ago
-
Thanks I'll try that. How do I dump the files into the T:\ drive? Is there is a hidden samba share I can connect to? - sfigg 11 years ago
-
you are already pointed to the T:\ by using the greater then sign comamnd. The KBE is mapped already. - mikesharp1 11 years ago
-
look at my other post I explain more there.
thanks! - mikesharp1 11 years ago -
This is going to sound stupid, but the post wasn't that elaborate and I had a question. Do I set this up as a pre-install task or post-install task? And do I just upload the tools in a zijp file and call this exact command then? Or is the "next for loop then remove" not part of it? I don't script much, so I'm not sure of the exact command to use.
dsquery computer dc=test,dc=com -name %computername% > T:\dsrm.log
Next for loop then remove
for /f %i in (t:\dsrm.log) do dsrm %i /y - sfigg 11 years ago -
yes you can do that way. Just think out of the box.
Look what dsquery computer does is query's to find the computer and output's that to a log file then using for /f you pulling that query and putting that in a variable. and removing it with dsrm.
I know its a little frustrating figuring things out but read up on dsrm download the tools play in the command line and you figure it out.
This skill level on 1 to 10 is like a 4. you just have to know a little command line.
best of luck! - mikesharp1 11 years ago -
I don't have a problem learning basics of DSRM. The problem is that I don't have the time right now given my work load. So if I can ask a simple question just to see if the command works, then great. Once I have something working, it's easier for me to review the command lines and try other things rather than start from scratching and trying to figure out why something isn't working.
Given that, I'm not having success running this as a pre-install task, so I'll have to revisit this later in the year when I have more time to figure out dsrm. - sfigg 11 years ago -
First make sure you have the adminpak install!!!!!!!!!
start run cmd or start cmd enter
run this .. test is your domain and ending with your domain below. like dc=test,dc=com so in english it would look like test.com we are just breaking it up in the command dsquery knows what to look for.
dsquery computer dc=test,dc=com -name %computername% <- thats your computer
you should something like this
"CN=COMPUTERNAME,OU=COMPUTER,DC=TEST,DC=COM"
then run dsrm "CN=COMPUTERNAME,OUT=COMPUTER,DC=TEST,DC=COM" - mikesharp1 11 years ago -
U can also use power shell for this :-) - mikesharp1 11 years ago
Posted by:
sfigg
12 years ago
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.