Solved

vbscript: need coding help/advise for AD computer account management script

Posted on 2011-03-10
7
564 Views
Last Modified: 2012-05-11
I have the following script which I run after deploying a new machine to the domain.  This script does three things:

1.  joins computer to domain,
2.  changes computername to SerialNum in BIOS (i.e. Dell Service Tag#)
3.  adds Domain Users to local Administrators group

Here is the script -

'
' JoinDomainAndRename.vbs | Updated 03/27/2009 Stephen White 
' 
'    Joins computer to domain, changes computername to SerialNum in BIOS
'    and adds Domain Users to local Administrators group
'    with no output unless there is an error condition 
'
'==========================================================================

Const JOIN_DOMAIN = 1
Const ACCT_CREATE = 2
Const ACCT_DELETE = 4
Const WIN9X_UPGRADE = 16
Const DOMAIN_JOIN_IF_JOINED = 32
Const JOIN_UNSECURE = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET = 256
Const INSTALL_INVOCATION = 262144

Dim message
Dim IP

strDomain = "altasens.com"
strUser = InputBox("Enter Username","Join Domain")
strPassword = InputBox("Enter Password","Join Domain")

If strUser="" or strPassword="" Then

	MsgBox "ERROR: No Username or Password provided", vbCritical
	WScript.Quit(0)

End If


'==========================================================================


' === Get computername
 
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
 
Set objWMIService = GetObject ("winmgmts:" & "!\\" & strComputer & "\root\cimv2")
Set colAdapters = objWMIService.ExecQuery ("Select * from Win32_NetworkAdapterConfiguration Where IPEnabled = True")

newComputerName = GetSerial

If newComputerName = "" Then

    MsgBox "ERROR: Can't determine Service Tag",vbCritical
    WScript.Quit(0)

End If


' === Join to domain with existing computername

Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
    strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & _
        strComputer & "'")
 
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, strPassword, strDomain & "\" & strUser, NULL, _
        JOIN_DOMAIN + ACCT_CREATE)

If ReturnValue <> 0 Then
    MsgBox "ERROR: Can't join domain",vbCritical
    WScript.Quit(0)
End If


' === Rename domain computer account

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colComputers = objWMIService.ExecQuery _
    ("Select * from Win32_ComputerSystem")


For Each objComputer in colComputers

    ErrCode = objComputer.Rename(newComputerName, strPassword, strUser)
    
    If ErrCode <> 0 Then
    
    	MsgBox "ERROR: Can't rename domain computer account",vbCritical
	WScript.Quit(0)
    	
    End If

Next


' === Add Domain Users to local Administrators group

strComputer = "."
Set objLocalGroup = GetObject("WinNT://" & strComputer & "/Administrators")
Set objDomainGroup = GetObject("WinNT://Altasens/Domain Users")
objLocalGroup.Add(objDomainGroup.ADsPath)


WScript.Quit(0)

'==========================================================================

Function GetSerial()

On Error Resume Next
Dim objWMI : Set objWMI = GetObject("winmgmts:")
Dim colSettingsComp : Set colSettings = objWMI.ExecQuery("Select * from Win32_ComputerSystem")
Dim colSettingsBios : Set colSettingsBios = objWMI.ExecQuery("Select * from Win32_BIOS")
Dim objComputer
For Each objComputer in colSettingsBios
  GetSerial = Trim(objComputer.SerialNumber)
Next
On Error Goto 0

End Function

Open in new window



I run into issue when re-deploying a system when that computer account already exists in the domain.  Can anyone provide some guidance on how to code around this issue?  I'm looking at the FJoinOptions constants and wondering if the key is in these:

1 (0x1) Default. Joins a computer to a domain. If this value is not specified, the join is a computer to a workgroup.
2 (0x2) Creates an account on a domain.
4 (0x4) Deletes an account when a domain exists.
16 (0x10) The join operation is part of an upgrade from Windows 98 or Windows 95 to Windows 2000 or Windows NT.
32 (0x20) Allows a join to a new domain, even if the computer is already joined to a domain.
 
Does anyone have any experience with this?

Thanks in advance for the help!
 


 
0
Comment
Question by:AltaSens
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 65

Expert Comment

by:RobSampson
ID: 35102514
What's your issue? Do you get an error?

Maybe you could try this:

ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, strPassword, strDomain & "\" & strUser, NULL, JOIN_DOMAIN + ACCT_CREATE)

If ReturnValue <> 0 Then
	ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, strPassword, strDomain & "\" & strUser, NULL, JOIN_DOMAIN)
	If ReturnValue <> 0 Then
    	MsgBox "ERROR: Can't join domain",vbCritical
    	WScript.Quit(0)
    End If
End If

Open in new window


Regards,

Rob.
0
 

Author Comment

by:AltaSens
ID: 35105602
Hey Rob -   Ok, I think I follow...

So the first step is to try to join domain and create a computer account, then if that fails, try again to join domain using an existing computer account...is that right?

0
 
LVL 65

Expert Comment

by:RobSampson
ID: 35105820
Yes, in theory.  I haven't tried it that way, but fingers crossed.

Rob.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:AltaSens
ID: 35142413
This doesn't seem to work.

Can anyone shed some light on the bitflags used by this method, specifically:

2 (0x2) Creates an account on a domain.
4 (0x4) Deletes an account when a domain exists.
32 (0x20) Allows a join to a new domain, even if the computer is already joined to a domain.


For #4, does this mean that the method will delete this account if it already exists in the domain?   If used in conjunction with #2, does it delete the account before recreating it?

for #32, is this intended to be used when moving a computer from one domain to another?  Or could this work for my needs, re-deploying a system when that computer account already exists in the domain.

0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
ID: 35144417
I would have thought that 0x4 would delete the account from the domain when moving from a domain to a workgroup.
0x32 might help you but it might require that you specify a different domain, and not the current one.

What might work is if you specify a workgroup name, using the 0x4 parameter, then join the domain, using 0x1 + 0x2.

So, in theory (I can't test it at the moment), that would be
ReturnValue = objComputer.JoinDomainOrWorkGroup("WORKGROUPNAME", strPassword, strDomain & "\" & strUser, NULL, ACCT_DELETE)

ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, strPassword, strDomain & "\" & strUser, NULL, JOIN_DOMAIN + ACCT_CREATE)
If ReturnValue <> 0 Then
   	MsgBox "ERROR: Can't join domain",vbCritical
   	WScript.Quit(0)
End If 

Open in new window


Regards,

Rob.
0
 

Author Closing Comment

by:AltaSens
ID: 35381034
thanks for the help!
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 35381055
No worries. I hope it worked out.

Regards,

Rob.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question