/build/static/layout/Breadcrumb_cap_w.png

Trying to add a computer to a security group at the same time as adding to the domain during deployment in K2000

I have modified the join domain script to also enable UAC and attempt to add the computer account in AD to a security group, but am failing to get the group added ok.

The powershell script works when run from a computer on my network, and everything else about the script works fine.

Here is a redacted version of the script, I tried moving the add to security group part around a little, but it just doesn't seem to work during the deployment!  I would have expected that adding to the end will mean the account is in AD and ready to be used by this script to add to the group.

#enter user account that will be used to join domain

  $domain= "tailspintoys.com"
  $password= "5555555555555" | ConvertTo-SecureString -asPlainText -Force
  $user= "$domain\JoinPCaccount"

  $cred= New-Object System.Management.Automation.PSCredential($user,$password)

#edit for OU path

   $oupath = 'OU=standard,OU=computers,DC=tailspintoys,DC=com'
   $server= "domaincontroller1.tailspintoys.com"

#add computer to OU

  Add-Computer -domainname $domain -oupath $oupath -Credential $cred -ErrorAction silentlycontinue -Server $server

#add computer to domain

  Add-Computer -DomainName $domain -Credential $cred

#pull info to add computer to correct local groups

  $group= Get-ADGroup "CN=Laptop-Computers,DC=tailspintoys,DC=com" –Server $server;
  $hostname= hostname
  $computerName= Get-ADComputer $hostname –Server $server;

#add computer to local group

  Add-ADGroupMember $group -Member $computerName -Server $server -Credential $cred

2 Comments   [ + ] Show comments
  • I don't know about the PS script, but I wanted to mention that we do a similar thing through the setup configuration (aka "unattended") XML and it works great for us. - JasonEgg 4 years ago
    • Hi JasonEgg

      How are you provisioning the hostname for the machine and the domain join if using unattend file? - Vivalo 4 years ago
      • It was set up by someone else, so I don't exactly know. There's plenty of documentation online. - JasonEgg 4 years ago
  • Hi JasonEgg

    What I meant was that the auto unattend file would have to be hard coded with the hostname. I have the hostname provisioned as a kid deployment task. So it would not work to do it. I will edit the script to save the output to a file as I can briefly see on the deploying the powershell flash up on the screen with red text (so it is erroring out). - Vivalo 4 years ago

Answers (1)

Posted by: JasonEgg 4 years ago
Red Belt
0
Tangential, relating to my comments.

Here is the section of our unattend.xml which adds the comp to the domain
<component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
  <Identification>
    <JoinDomain>DOMAIN_TO_JOIN</JoinDomain>
    <MachineObjectOU>OU=YOUR_OU, DC=YOUR_OTHER_VALUES</MachineObjectOU>
    <Credentials>
      <Domain>YOUR_FQDN</Domain>
      <Username>YOUR_USER</Username>
      <Password>YOUR_PASS</Password>
    </Credentials>
  </Identification>
</component>
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ