Solved

How do I Create a Computer Account object in remote domain specifying alternative credentials - VBscript / LDAP bind ?

Posted on 2015-01-18
3
246 Views
Last Modified: 2015-01-31
On Computer A in Domain A I am trying to run a vbscript which will bind to the Domain Controller B in Domain B and create a computer account specifying credentials with appropriate permissions in Domain B.

There is no trust between the domains.
The firewall only has ports 389 and 636 open between Computer A and Domain Controller B.
For this reason DNS is not an option as 53 is not open so I need to reference Domain Controller B in my LDAP bind by IP address.
Using PowerShell is not an option (2003 domain without ADMGS), has to be VBscript.

I know I need to use OpenDSObject instead of GetObject but I cannot figure out the connection.

Once the computer account is created, all the necessary ACLs need to be created as per this MS script (for same domain)
http://support.microsoft.com/kb/315273

I have spent a few days trying to get this working, clearly I am not a scripter, really appreciate some help!
0
Comment
Question by:xxmp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 28

Expert Comment

by:Ryan McCauley
ID: 40562502
This might be a bit round-about, but how is the script actually being executed? If you don't have authentication access to the domain and there's no trust set up, you won't be able to launch an application with remote credentials. However, you can do a little-known trick with the RUNAS application using the "/NETONLY" switch:

http://codebetter.com/jameskovacs/2009/10/12/tip-how-to-run-programs-as-a-domain-user-from-a-non-domain-computer/

The net effect is that the process runs as the current local user, but when accessing remote resources (like other computers or a DC), it will provide the NETONLY credentials - as long as that remote resource can use them to authenticate properly, you're good to go. In this way, you could provide credentials from your remote domain when connecting to the domain controller.

All that said, I don't know that there's any way to do this automatically from a script, as you're suggesting - you can run the script as another user by using NETONLY, but you'd still have to initiate it (and provide the password) manually.
0
 

Accepted Solution

by:
xxmp earned 0 total points
ID: 40570436
strComputer = "COMPUTER NAME"
strLDAPServer = "LDAP SERVER TO CONNECT TO"
strContainer = "OU FOR COMPUTER ACCOUNT TO BE CREATED"
strUser = "USERNAME WITH PERMISSIONS TO JOIN MACHINE TO DOMAIN"
strPass = "PASSWORD"

Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_SERVER_BIND = &h0200

Set dso = GetObject("LDAP:")
Set ObjContainer = dso.OpenDSObject("LDAP://" & strLDAPServer & "/" & strContainer, strUser, strPass, 1)

Set objComputer = objContainer.Create("Computer",_
"cn=" & strComputer)
objComputer.Put "sAMAccountName", strComputer & "$"
objComputer.Put "userAccountControl", 4096
objComputer.SetInfo

WScript.Quit
0
 

Author Closing Comment

by:xxmp
ID: 40581251
Through trial and error, found this to work perfectly.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
An article on effective troubleshooting
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question