/build/static/layout/Breadcrumb_cap_w.png

Join Domain KACE script - Delegating AD rights

My AD admin has requested that we delegate rights to our desktop team to each individual computer as it joins the domain.  Is there a way to do this as part of the KACE join domain script?  My script is currently running successfully on Windows XP machines.  I just need to know if I can add the option to delegate AD rights.

Thanks,
awingren

Here's what my scripts look like now:

JoinDomain_x86.bat:
REM ***** Join a Windows x86 computer to the domain
REM ***** Join_Domain.vbs <domain> <DomainUser> <password> <Default domain DNS Server IP> *****


C:\source\Join_Domain.vbs somewhere.net kace **** "OU=kace Workstations,DC=somewhere,DC=Net" 10.1.xx.xx

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d <NULL> /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d <NULL> /f

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v V1 /t REG_SZ /d "CMD /C \"rd /s /q C:\source\""

Join_Domain.vbs:
Const JOIN_DOMAIN             = 1
Const ACCT_CREATE             = 2
Const ACCT_DELETE             = 4
Const WIN9X_UPGRADE           = 16
Const DOMAIN_JOIN_IF_JOINED   = 32
Const JOIN_UNSECURE           = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET        = 256
Const INSTALL_INVOCATION      = 262144

If WScript.Arguments.Count < 4 or WScript.Arguments.Count > 5 Then
  WScript.Quit
Else
  strDomain   = WScript.Arguments.Item(0)
  strUser = WScript.Arguments.Item(1)
  strPassword = WScript.Arguments.Item(2)
  strOU = WScript.Arguments.Item(3)

'set DNS IP address
  If WScript.Arguments.Count = 4 Then
    strDNSIP = WScript.Arguments.Item(3)
    Set objShell = CreateObject("WScript.shell")
    objShell.Run "netsh int ip set dns  ""local area connection"" static "& _
                  strDNSIP &" primary",0,0
  End If

End If


Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName

Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
                             strComputer & _
                             "\root\cimv2:Win32_ComputerSystem.Name='" _
                             & strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _
                                                strPassword, _
                                                strDomain & "\" & strUser, _
                                                strOU, _
                                                JOIN_DOMAIN+ACCT_CREATE)



 

 


0 Comments   [ + ] Show comments

Answers (1)

Posted by: dugullett 11 years ago
Red Belt
4

I would use a GPO for this.

http://community.spiceworks.com/how_to/show/907-gpo-to-push-out-local-administrators-across-a-domain


Comments:
  • Thanks, dugullet!
    This seems like a better solution to me. I'll talk to the AD admin about that.

    -awingren - awingren 11 years ago
  • It looks like we already use a GPO for local admin. That GPO doesn't solve for AD computer object delegation. Our AD admin thinks there's a way to just force inheritance instead of including it in the join domain script.

    I'll post here if we figure it out.

    Thanks again for your help.
    -awingren - awingren 11 years ago
  • So if your actual need is to delegate administration privileges over the AD objects for the computers, you wouldn't do that for each object, or at least you would not want to do it that way.

    Desktops should be in a collection of OUs to which the desktop support team is delegated computer object admin privileges. It makes sense to also delegate computer object management to them for the default computer container so that they can move the desktop computers into the appropriate OUs for long-term management, for those time when they are not being added into the correct containers when joined to the domain. - andy_mcconnell 11 years ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ