My AD admin has requested that we delegate rights to our desktop team to each individual computer as it joins the domain.  Is there a way to do this as part of the KACE join domain script?  My script is currently running successfully on Windows XP machines.  I just need to know if I can add the option to delegate AD rights.

Thanks,
awingren

Here's what my scripts look like now:

JoinDomain_x86.bat:
REM ***** Join a Windows x86 computer to the domain
REM ***** Join_Domain.vbs <domain> <DomainUser> <password> <Default domain DNS Server IP> *****


C:\source\Join_Domain.vbs somewhere.net kace **** "OU=kace Workstations,DC=somewhere,DC=Net" 10.1.xx.xx

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d <NULL> /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d <NULL> /f

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v V1 /t REG_SZ /d "CMD /C \"rd /s /q C:\source\""

Join_Domain.vbs:
Const JOIN_DOMAIN             = 1
Const ACCT_CREATE             = 2
Const ACCT_DELETE             = 4
Const WIN9X_UPGRADE           = 16
Const DOMAIN_JOIN_IF_JOINED   = 32
Const JOIN_UNSECURE           = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET        = 256
Const INSTALL_INVOCATION      = 262144

If WScript.Arguments.Count < 4 or WScript.Arguments.Count > 5 Then
  WScript.Quit
Else
  strDomain   = WScript.Arguments.Item(0)
  strUser = WScript.Arguments.Item(1)
  strPassword = WScript.Arguments.Item(2)
  strOU = WScript.Arguments.Item(3)

'set DNS IP address
  If WScript.Arguments.Count = 4 Then
    strDNSIP = WScript.Arguments.Item(3)
    Set objShell = CreateObject("WScript.shell")
    objShell.Run "netsh int ip set dns  ""local area connection"" static "& _
                  strDNSIP &" primary",0,0
  End If

End If


Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName

Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
                             strComputer & _
                             "\root\cimv2:Win32_ComputerSystem.Name='" _
                             & strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _
                                                strPassword, _
                                                strDomain & "\" & strUser, _
                                                strOU, _
                                                JOIN_DOMAIN+ACCT_CREATE)



 

 

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

4

I would use a GPO for this.

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain

Answered 12/17/2012 by: dugullett
Red Belt

  • Thanks, dugullet!
    This seems like a better solution to me. I'll talk to the AD admin about that.

    -awingren
  • It looks like we already use a GPO for local admin. That GPO doesn't solve for AD computer object delegation. Our AD admin thinks there's a way to just force inheritance instead of including it in the join domain script.

    I'll post here if we figure it out.

    Thanks again for your help.
    -awingren
  • So if your actual need is to delegate administration privileges over the AD objects for the computers, you wouldn't do that for each object, or at least you would not want to do it that way.

    Desktops should be in a collection of OUs to which the desktop support team is delegated computer object admin privileges. It makes sense to also delegate computer object management to them for the default computer container so that they can move the desktop computers into the appropriate OUs for long-term management, for those time when they are not being added into the correct containers when joined to the domain.
Please log in to comment
Answer this question or Comment on this question for clarity