Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 280
  • Last Modified:

How do I Create a Computer Account object in remote domain specifying alternative credentials - VBscript / LDAP bind ?

On Computer A in Domain A I am trying to run a vbscript which will bind to the Domain Controller B in Domain B and create a computer account specifying credentials with appropriate permissions in Domain B.

There is no trust between the domains.
The firewall only has ports 389 and 636 open between Computer A and Domain Controller B.
For this reason DNS is not an option as 53 is not open so I need to reference Domain Controller B in my LDAP bind by IP address.
Using PowerShell is not an option (2003 domain without ADMGS), has to be VBscript.

I know I need to use OpenDSObject instead of GetObject but I cannot figure out the connection.

Once the computer account is created, all the necessary ACLs need to be created as per this MS script (for same domain)
http://support.microsoft.com/kb/315273

I have spent a few days trying to get this working, clearly I am not a scripter, really appreciate some help!
0
xxmp
Asked:
xxmp
  • 2
1 Solution
 
Ryan McCauleyData and Analytics ManagerCommented:
This might be a bit round-about, but how is the script actually being executed? If you don't have authentication access to the domain and there's no trust set up, you won't be able to launch an application with remote credentials. However, you can do a little-known trick with the RUNAS application using the "/NETONLY" switch:

http://codebetter.com/jameskovacs/2009/10/12/tip-how-to-run-programs-as-a-domain-user-from-a-non-domain-computer/

The net effect is that the process runs as the current local user, but when accessing remote resources (like other computers or a DC), it will provide the NETONLY credentials - as long as that remote resource can use them to authenticate properly, you're good to go. In this way, you could provide credentials from your remote domain when connecting to the domain controller.

All that said, I don't know that there's any way to do this automatically from a script, as you're suggesting - you can run the script as another user by using NETONLY, but you'd still have to initiate it (and provide the password) manually.
0
 
xxmpAuthor Commented:
strComputer = "COMPUTER NAME"
strLDAPServer = "LDAP SERVER TO CONNECT TO"
strContainer = "OU FOR COMPUTER ACCOUNT TO BE CREATED"
strUser = "USERNAME WITH PERMISSIONS TO JOIN MACHINE TO DOMAIN"
strPass = "PASSWORD"

Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_SERVER_BIND = &h0200

Set dso = GetObject("LDAP:")
Set ObjContainer = dso.OpenDSObject("LDAP://" & strLDAPServer & "/" & strContainer, strUser, strPass, 1)

Set objComputer = objContainer.Create("Computer",_
"cn=" & strComputer)
objComputer.Put "sAMAccountName", strComputer & "$"
objComputer.Put "userAccountControl", 4096
objComputer.SetInfo

WScript.Quit
0
 
xxmpAuthor Commented:
Through trial and error, found this to work perfectly.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now