mlptechnical
asked on
How to join domain when computer account exists in different OU
I am having issues joining computer to the domain using this script provided and Windows Server 2008.
What is happening is when the computer is in a different OU and we try to join to the computer to a new OU, the computer never joins the domain.
Is it possible to join the computer to the new OU and just move the domain it currently resides in?
What is happening is when the computer is in a different OU and we try to join to the computer to a new OU, the computer never joins the domain.
Is it possible to join the computer to the new OU and just move the domain it currently resides in?
Const JOIN_DOMAIN = 1
Const ACCT_CREATE = 2
Const ACCT_DELETE = 4
Const WIN9X_UPGRADE = 16
Const DOMAIN_JOIN_IF_JOINED = 32
Const JOIN_UNSECURE = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET = 256
Const INSTALL_INVOCATION = 262144
strKeyPath = "Software\!TESTEB"
strComputer = "."
Const HKEY_LOCAL_MACHINE = &H80000002
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,"JoinUsername",strJoinUsername
objReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,"JoinPassword",strJoinPassword
strUser = "ASDF\" & strJoinUsername
strPassword = strJoinPassword
strDomain = "ASDF.com"
strOU = "OU=Processing,OU=ASDFComputers,DC=ASDF,DC=com"
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _
strPassword, strUser, strOU, JOIN_DOMAIN + DOMAIN_JOIN_IF_JOINED + ACCT_CREATE)
If ReturnValue = 0 Then
objReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,"JoinUsername"
objReg.DeleteValue HKEY_LOCAL_MACHINE,strKeyPath,"JoinPassword"
objReg.DeleteValue HKEY_LOCAL_MACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon","DefaultPassword"
objReg.SetStringValue HKEY_LOCAL_MACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon","AutoAdminLogon","0"
objReg.SetStringValue HKEY_LOCAL_MACHINE,"Software\Microsoft\Windows NT\CurrentVersion\Winlogon","DefaultUserName","ASDF"
Else
End If
Set strDomain = Nothing
Set strUser = Nothing
Set strPassword = Nothing
Set strOU = Nothing
ASKER
I can try and explain a scenario....
TestEB01 exists in the OU:
"OU=Processing,OU=Desktops
TestEB01 gets re-imaged, and the join domain script on the new image points towards:
"OU=ProcessingNew,OU=ASDFC
I want the script to join this newly imaged computer to the domain in the "ProcessingNew" OU.
I know that you said that if a computer exists on the domain you can't create a new account, but if the computer is joined to the same OU, my script runs perfectly.
Any ideas on a script that will have a computer join the new OU with no hands on interaction?
TestEB01 exists in the OU:
"OU=Processing,OU=Desktops
TestEB01 gets re-imaged, and the join domain script on the new image points towards:
"OU=ProcessingNew,OU=ASDFC
I want the script to join this newly imaged computer to the domain in the "ProcessingNew" OU.
I know that you said that if a computer exists on the domain you can't create a new account, but if the computer is joined to the same OU, my script runs perfectly.
Any ideas on a script that will have a computer join the new OU with no hands on interaction?
Well... since the computer account already exists, you can just run this simple script to move it to the ProcessingNew OU.
Set objNewOU = GetObject("LDAP://OU=Proce
Set objMoveComputer = objNewOU.MoveHere _
("LDAP://CN=atl-pro-03,CN=
Set objNewOU = GetObject("LDAP://OU=Proce
Set objMoveComputer = objNewOU.MoveHere _
("LDAP://CN=atl-pro-03,CN=
ASKER
It's not that easy though, i don't know for sure which OU the computer will be in, and I don't want to have to create a script for every scenario.
and will just moving the OU join this newly imaged, unjoined server to the domain?
and will just moving the OU join this newly imaged, unjoined server to the domain?
I think you have two seperate issues... You want a machine computer account moved to a new OU, and you want that freshly imaged machine joined to the domain. I would use a simple script such as this to join the computer to the domain:
Const JOIN_DOMAIN = 1
Const ACCT_CREATE = 2
Const ACCT_DELETE = 4
Const WIN9X_UPGRADE = 16
Const DOMAIN_JOIN_IF_JOINED = 32
Const JOIN_UNSECURE = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET = 256
Const INSTALL_INVOCATION = 262144
strDomain = "FABRIKAM"
strPassword = "ls4k5ywA"
strUser = "shenalan"
Set objNetwork = CreateObject("WScript.Netw
strComputer = objNetwork.ComputerName
Set objComputer = GetObject("winmgmts:{imper
strComputer & "\root\cimv2:Win32_Compute
strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWo
strPassword, strDomain & "\" & strUser, NULL, _
JOIN_DOMAIN + ACCT_CREATE)
Then once your on the domain and you have rebooted, use this script to find the computer account you are on in AD and move it to the ProcessingNew OU
Set WshNetwork = WScript.CreateObject("WScr
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connec
Set objCommand = CreateObject("ADODB.Comman
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnectio
objCommand.CommandText = _
"Select distinguishedName, Name from " & _
"'LDAP://DC=fabrikam,DC=co
" and Name = '" & WshNetwork.ComputerName"'"
objCommand.Properties("Pag
objCommand.Properties("Sea
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Set objNewOU = GetObject("LDAP://OU=Proce
Set objMoveComputer = objNewOU.MoveHere _
(DistinguishedName, "CN=" & Name)
Loop
That is mostly untested, but it will probably give you a good place to start.
Const JOIN_DOMAIN = 1
Const ACCT_CREATE = 2
Const ACCT_DELETE = 4
Const WIN9X_UPGRADE = 16
Const DOMAIN_JOIN_IF_JOINED = 32
Const JOIN_UNSECURE = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET = 256
Const INSTALL_INVOCATION = 262144
strDomain = "FABRIKAM"
strPassword = "ls4k5ywA"
strUser = "shenalan"
Set objNetwork = CreateObject("WScript.Netw
strComputer = objNetwork.ComputerName
Set objComputer = GetObject("winmgmts:{imper
strComputer & "\root\cimv2:Win32_Compute
strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWo
strPassword, strDomain & "\" & strUser, NULL, _
JOIN_DOMAIN + ACCT_CREATE)
Then once your on the domain and you have rebooted, use this script to find the computer account you are on in AD and move it to the ProcessingNew OU
Set WshNetwork = WScript.CreateObject("WScr
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connec
Set objCommand = CreateObject("ADODB.Comman
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnectio
objCommand.CommandText = _
"Select distinguishedName, Name from " & _
"'LDAP://DC=fabrikam,DC=co
" and Name = '" & WshNetwork.ComputerName"'"
objCommand.Properties("Pag
objCommand.Properties("Sea
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Set objNewOU = GetObject("LDAP://OU=Proce
Set objMoveComputer = objNewOU.MoveHere _
(DistinguishedName, "CN=" & Name)
Loop
That is mostly untested, but it will probably give you a good place to start.
ASKER
that's the script i posted in my question. It's really don't care if the existing computer account is moved or deleted, i just don't want to have any interaction, i needs to be automated so anyone can use it
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That option works, but it adds a lot of reboots to our imaging process. Is it possible to lookup and delete the computer account before you join the computer to the domain, then join the computer to the domain?
Keep in mind that you would need to pass the logon credentials because you are not joined to the domain yet.
Keep in mind that you would need to pass the logon credentials because you are not joined to the domain yet.
If a computer account already exists anywhere in the AD structure, then you can not create a new computer account with that same name. You just need to use ADUC and move the existing account to to the new OU.
Does that help? If not, then could you clearify a bit?