Solved

Active Directory tasks during SCCM 2012 OSD Task Sequence

Posted on 2013-11-12
24
2,115 Views
Last Modified: 2013-11-18
I am trying to run a powershell script during an OSD task sequence which will add Active Directory groups to the Local Administrators group on the server which is being deployed. The script runs successfully if run within Windows, but fails if run as part of the task sequence. Domain Admin credentials are provided for the TS to run under but it still fails. The script is attached.
AddLocalAdminsgeneric.txt
0
Comment
Question by:aferr
  • 13
  • 10
24 Comments
 
LVL 22

Expert Comment

by:yo_bee
ID: 39643295
Why not just use Group Policy to push these setting. They are under computer  Configuration> Policies > windows settings > security settings> Restricted Groups



Img1
Note: Place the group in This Group is a Member of.  If you place it in the Members of this group any other members will be removed accept for the Local Administrator & Domain Admin
img2
The other option is to use GPP (Group Policies Preferences)
Computer Config > Preferences > Control Panel Settings > Local User and Local Group:

Right click and add New Item.
Click on the drop-down and select the group you want to add the user or group to
 img3
Press Add and select the user or group you want to add to the group you select above.
img4
0
 

Author Comment

by:aferr
ID: 39643873
Unfortunately that approach isn't suitable. The group name is generated using the name of the server as part of the setup process, so for example if the company name is tailspin toys ( to use an old favourite :)) and the server is called tspin001, the script will generate the server administrators group as TSPIN-Srv-LocalAdm-TSPIN001.

This isn't a choice I can change as it's a mandated company policy, but it does mean that using Group Policy isn't possible.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 39644396
I see.  

If you run the PS1 manually within a PS Commandshell wath error do you get?
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 

Author Comment

by:aferr
ID: 39644604
Herein lies the problem. If I stop the OSD task sequence and run the powershell script manually I don't get any errors, it completes successfully. The only time it fails is if run by the task sequence.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 39644689
you are running as:
Powershell.exe script.ps1

Or are you pasting the script in the command Shell
0
 

Author Comment

by:aferr
ID: 39644705
Tried running as powershell.exe <scriptname> and by running powershell then calling the script from within. It works in both instances.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 39644765
Do you have a setting in GP that allows to execute PS1 that are not trusted?
If that maybe the issue with the build since it has not had any of the GP settings applied during the Task Sequence.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 39644767
What if you converted it to a VBS instead?
0
 

Author Comment

by:aferr
ID: 39644861
The powershell execution policy is set to allow unrestricted in a ts step immediately prior to the deployment step that runs this script, so it's not an execution policy issue. I haven't tried converting it to vbscript; tbh my vb is a bit rusty but i'll give it a try.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 39644891
Also the account that is running the Task Sequence, is it a Domain Admin account (I know it probably is)?
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 39644903
Do you have the error code that is generated during the Task Sequence?
0
 

Author Comment

by:aferr
ID: 39644926
The accoutn being used to run the TS is a domain admin account. The TS doesn't generate an error message, just doesn't create the accounts/add them to the local admin group, which i why I'm so bemused to be honest.
0
 
LVL 22

Accepted Solution

by:
yo_bee earned 500 total points
ID: 39646563
Is this script being run against the computer or copied to it and then run?
0
 

Author Comment

by:aferr
ID: 39647278
It's being run against the computer. I have also tried creating a local directory, copying it across and running it froma a local drive - no difference in outcome.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 39647638
Do you have any error code that can be referenced?

I am still a bit confused why you need this local admin group created if they are just being added to the local administrators group.  

I might have missed something in the readings of this question.
0
 

Author Comment

by:aferr
ID: 39647680
no error codes generated, nothing in the event logs.
The group is created so that users outside the Server Support team can be given local admin access to particular servers. The created group is an AD group, which is added to the local admins group on the server.
So, for example, if the domain was called test.com and the server testserver1, the group would be created within the AD structure for test.com and would be called test-svr-localadm-testserver1. This AD group would then be added to the local admins on the server.
I have a feeling this may be a limitation in the OSD task sequence engine when passing credentials to Active Directory, but I'm hoping I'm wrong.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 39647723
After reading this I now understand, but maybe we can look at this in a different angle.

So you are trying to create a group in AD sort of dynamically based on a type of server.
Then add this newly created group to the local admin group.  

Is this group used for standard users or low level techs that will need to administrator only a specific server?

Your script looks like it is a two step process. Is that correct?

Part1: create and AD Group:  ? is it successful when run in the TS
Part2: add to local admin group.  We know that this does not work.
0
 

Author Comment

by:aferr
ID: 39647810
The group is intended for technical staff who may require access to the server to look after particular applications, such as mail or sql, as well as lower level techs who need access to specific servers only.

Neither part is successful when run under the TS, but the entire script will run successfully either when logged into Windows or when run from a command prompt if the TS is interrupted.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 39647822
I recommend leveraging GPP in Group Policy with Item Level Targeting to accomplish this task.

How many individual servers are we talking about and do they follow a pattern?
0
 

Author Comment

by:aferr
ID: 39647894
The estate has several hundred devices to manage, not sure what you mean by follow a pattern? Are you talking about server naming conventions?
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 39648948
Yes?
So we can create a GPP that target TS.Server##
0
 
LVL 31

Expert Comment

by:merowinger
ID: 39650406
I would split the steps down.
On Task Sequence step to create the Group in AD with Domain Admin privileges
and one step to add it to the local Group. I think the Domain Admin which runs the step may has no local Admin permissons on the machine at this time.

To add the local Group you can then simply take that command line:
cmd /c net localgroup administrators /add domain\account
0
 

Author Closing Comment

by:aferr
ID: 39656118
When I read this at first I tried an initial test which failed. I went back and checked the logic again, made sure the account passwords and permissuions were correct, then reran it succesfully. Just to mkae sure it wasn't a password issue I tried it again without copying to the local machine where it failed again.
Not sure why it's the case but it seems that copying the script to the local machine and running it from there does the trick.
0
 
LVL 22

Expert Comment

by:yo_bee
ID: 39656194
Nice.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question