Solved

Active Directory tasks during SCCM 2012 OSD Task Sequence

Posted on 2013-11-12
24
2,002 Views
Last Modified: 2013-11-18
I am trying to run a powershell script during an OSD task sequence which will add Active Directory groups to the Local Administrators group on the server which is being deployed. The script runs successfully if run within Windows, but fails if run as part of the task sequence. Domain Admin credentials are provided for the TS to run under but it still fails. The script is attached.
AddLocalAdminsgeneric.txt
0
Comment
Question by:aferr
  • 13
  • 10
24 Comments
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Why not just use Group Policy to push these setting. They are under computer  Configuration> Policies > windows settings > security settings> Restricted Groups



Img1
Note: Place the group in This Group is a Member of.  If you place it in the Members of this group any other members will be removed accept for the Local Administrator & Domain Admin
img2
The other option is to use GPP (Group Policies Preferences)
Computer Config > Preferences > Control Panel Settings > Local User and Local Group:

Right click and add New Item.
Click on the drop-down and select the group you want to add the user or group to
 img3
Press Add and select the user or group you want to add to the group you select above.
img4
0
 

Author Comment

by:aferr
Comment Utility
Unfortunately that approach isn't suitable. The group name is generated using the name of the server as part of the setup process, so for example if the company name is tailspin toys ( to use an old favourite :)) and the server is called tspin001, the script will generate the server administrators group as TSPIN-Srv-LocalAdm-TSPIN001.

This isn't a choice I can change as it's a mandated company policy, but it does mean that using Group Policy isn't possible.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
I see.  

If you run the PS1 manually within a PS Commandshell wath error do you get?
0
 

Author Comment

by:aferr
Comment Utility
Herein lies the problem. If I stop the OSD task sequence and run the powershell script manually I don't get any errors, it completes successfully. The only time it fails is if run by the task sequence.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
you are running as:
Powershell.exe script.ps1

Or are you pasting the script in the command Shell
0
 

Author Comment

by:aferr
Comment Utility
Tried running as powershell.exe <scriptname> and by running powershell then calling the script from within. It works in both instances.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Do you have a setting in GP that allows to execute PS1 that are not trusted?
If that maybe the issue with the build since it has not had any of the GP settings applied during the Task Sequence.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
What if you converted it to a VBS instead?
0
 

Author Comment

by:aferr
Comment Utility
The powershell execution policy is set to allow unrestricted in a ts step immediately prior to the deployment step that runs this script, so it's not an execution policy issue. I haven't tried converting it to vbscript; tbh my vb is a bit rusty but i'll give it a try.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Also the account that is running the Task Sequence, is it a Domain Admin account (I know it probably is)?
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Do you have the error code that is generated during the Task Sequence?
0
 

Author Comment

by:aferr
Comment Utility
The accoutn being used to run the TS is a domain admin account. The TS doesn't generate an error message, just doesn't create the accounts/add them to the local admin group, which i why I'm so bemused to be honest.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 21

Accepted Solution

by:
yo_bee earned 500 total points
Comment Utility
Is this script being run against the computer or copied to it and then run?
0
 

Author Comment

by:aferr
Comment Utility
It's being run against the computer. I have also tried creating a local directory, copying it across and running it froma a local drive - no difference in outcome.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Do you have any error code that can be referenced?

I am still a bit confused why you need this local admin group created if they are just being added to the local administrators group.  

I might have missed something in the readings of this question.
0
 

Author Comment

by:aferr
Comment Utility
no error codes generated, nothing in the event logs.
The group is created so that users outside the Server Support team can be given local admin access to particular servers. The created group is an AD group, which is added to the local admins group on the server.
So, for example, if the domain was called test.com and the server testserver1, the group would be created within the AD structure for test.com and would be called test-svr-localadm-testserver1. This AD group would then be added to the local admins on the server.
I have a feeling this may be a limitation in the OSD task sequence engine when passing credentials to Active Directory, but I'm hoping I'm wrong.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
After reading this I now understand, but maybe we can look at this in a different angle.

So you are trying to create a group in AD sort of dynamically based on a type of server.
Then add this newly created group to the local admin group.  

Is this group used for standard users or low level techs that will need to administrator only a specific server?

Your script looks like it is a two step process. Is that correct?

Part1: create and AD Group:  ? is it successful when run in the TS
Part2: add to local admin group.  We know that this does not work.
0
 

Author Comment

by:aferr
Comment Utility
The group is intended for technical staff who may require access to the server to look after particular applications, such as mail or sql, as well as lower level techs who need access to specific servers only.

Neither part is successful when run under the TS, but the entire script will run successfully either when logged into Windows or when run from a command prompt if the TS is interrupted.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
I recommend leveraging GPP in Group Policy with Item Level Targeting to accomplish this task.

How many individual servers are we talking about and do they follow a pattern?
0
 

Author Comment

by:aferr
Comment Utility
The estate has several hundred devices to manage, not sure what you mean by follow a pattern? Are you talking about server naming conventions?
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Yes?
So we can create a GPP that target TS.Server##
0
 
LVL 31

Expert Comment

by:merowinger
Comment Utility
I would split the steps down.
On Task Sequence step to create the Group in AD with Domain Admin privileges
and one step to add it to the local Group. I think the Domain Admin which runs the step may has no local Admin permissons on the machine at this time.

To add the local Group you can then simply take that command line:
cmd /c net localgroup administrators /add domain\account
0
 

Author Closing Comment

by:aferr
Comment Utility
When I read this at first I tried an initial test which failed. I went back and checked the logic again, made sure the account passwords and permissuions were correct, then reran it succesfully. Just to mkae sure it wasn't a password issue I tried it again without copying to the local machine where it failed again.
Not sure why it's the case but it seems that copying the script to the local machine and running it from there does the trick.
0
 
LVL 21

Expert Comment

by:yo_bee
Comment Utility
Nice.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Know what services you can and cannot, should and should not combine on your server.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now