Jay Thomas
asked on
script issue with joining a pc to domain
Script help
I have a test script I run from on-prem which builds a VM in Azure and then connects to the domain.
I use Login-AzureRmAccount in the script to prompt the user to enter the username and password.
Part of my script also joins the PC to the domain using "add-computer –domainname ad.contoso.com -Credential AD\adminuser -restart –force and press Enter"
The user is then asked to enter a password.
But, I I'd like to use a service account to get the pc joining the domain. So, I know I can use the above example using the service account service principal, but of course I am asked for a password, which I don't know. I know i'm missing something here at it may well be easy, how can I get around this? Any tips appreciated.
Thanks
I have a test script I run from on-prem which builds a VM in Azure and then connects to the domain.
I use Login-AzureRmAccount in the script to prompt the user to enter the username and password.
Part of my script also joins the PC to the domain using "add-computer –domainname ad.contoso.com -Credential AD\adminuser -restart –force and press Enter"
The user is then asked to enter a password.
But, I I'd like to use a service account to get the pc joining the domain. So, I know I can use the above example using the service account service principal, but of course I am asked for a password, which I don't know. I know i'm missing something here at it may well be easy, how can I get around this? Any tips appreciated.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
But, I I'd like to use a service account to get the pc joining the domain. So, I know I can use the above example using the service account service principal, but of course I am asked for a password, which I don't know. I know i'm missing something here at it may well be easy, how can I get around this? Any tips appreciated. You need the service account password. Sean just showed you how to quasi securely use the credential.
But, I I'd like to use a service account to get the pc joining the domainDaevyd, OP will have to save the password and reuse it later within his script, this way it will not prompts the user for credentials. That password will be the password of the service account with the appropriate rights to join a computer to the domain.
but of course I am asked for a password, which I don't knowNothing can be done is AD without credentials
[I know, there is an easier way to do this now, but I've already built scripts for it.]
Whenever I create VMs in Azure, I always run a script that sets up the VM for me:
And these scripts take their parameters so that I can do things like join the domain:
Whenever I create VMs in Azure, I always run a script that sets up the VM for me:
$baseFileName = Split-Path -Leaf -Path $fileName
$error.Clear()
Set-AzureStorageBlobContent -Container $containerName -File $fileName -Blob $baseFileName -Context $storagecontext -Force
$error.Clear()
$global:customScript = Set-AzureRmVMCustomScriptExtension `
-ResourceGroupName $rgName `
-Location $location `
-VMName $vmName `
-Name $scriptName `
-StorageAccountName $saName `
-StorageAccountKey $saKey `
-ContainerName $containerName `
-FileName $baseFileName `
-Run $baseFileName `
-Argument "$forestName $dcName $adminUser $adminPass" `
-ErrorAction SilentlyContinue
And these scripts take their parameters so that I can do things like join the domain:
Param(
[String] $forestName,
[String] $server,
[String] $user,
[String] $password
)
function wv
{
$s = $args -join ''
write-verbose $s
}
## Join the domain
## secureStrings and credentials are not easily portable between computers
$netbios = if( ( $i = $forestName.IndexOf( '.' ) ) -gt 0 ) { $forestName.SubString( 0, $i ) } else { $forestName }
$user = $netbios + '\' + $user
$sec = ConvertTo-SecureString -String $password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential( $user, $sec )
wv "Startup-Server: Created pscredential for user '$user' passsword '$password'"
Start-Sleep -Seconds 2
$count = 0
$attemptLimit = 5
while( $count -lt $attemptLimit )
{
$count++
$error.Clear()
Add-Computer `
-DomainName $netbios `
-Server $server `
-Credential $cred `
-Force `
-ErrorAction SilentlyContinue
if( $? )
{
wv "Startup-Server: Join domain '$netbios' success"
break
}
wv "Startup-Server: Join domain '$netbios' failed. Error: $( $error[0].ToString() )"
Start-Sleep -Seconds 30
}
if( $count -gt 0 )
{
wv "Startup-Server: Executed Add-Computer (to join domain $netbios) $count time(s)"
if( $count -ge $attemptLimit )
{
wv "Could not join domain $netbios. Returning failure."
exit 1
}
}
exit 0
ASKER
Thanks all