My AD admin has requested that we delegate rights to our desktop team to each individual computer as it joins the domain.  Is there a way to do this as part of the KACE join domain script?  My script is currently running successfully on Windows XP machines.  I just need to know if I can add the option to delegate AD rights.


Here's what my scripts look like now:

REM ***** Join a Windows x86 computer to the domain
REM ***** Join_Domain.vbs <domain> <DomainUser> <password> <Default domain DNS Server IP> *****

C:\source\Join_Domain.vbs kace **** "OU=kace Workstations,DC=somewhere,DC=Net" 10.1.xx.xx

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d <NULL> /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d <NULL> /f

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" /v V1 /t REG_SZ /d "CMD /C \"rd /s /q C:\source\""

Const JOIN_DOMAIN             = 1
Const ACCT_CREATE             = 2
Const ACCT_DELETE             = 4
Const WIN9X_UPGRADE           = 16
Const JOIN_UNSECURE           = 64
Const DEFERRED_SPN_SET        = 256
Const INSTALL_INVOCATION      = 262144

If WScript.Arguments.Count < 4 or WScript.Arguments.Count > 5 Then
  strDomain   = WScript.Arguments.Item(0)
  strUser = WScript.Arguments.Item(1)
  strPassword = WScript.Arguments.Item(2)
  strOU = WScript.Arguments.Item(3)

'set DNS IP address
  If WScript.Arguments.Count = 4 Then
    strDNSIP = WScript.Arguments.Item(3)
    Set objShell = CreateObject("")
    objShell.Run "netsh int ip set dns  ""local area connection"" static "& _
                  strDNSIP &" primary",0,0
  End If

End If

Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName

Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
                             strComputer & _
                             "\root\cimv2:Win32_ComputerSystem.Name='" _
                             & strComputer & "'")
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _
                                                strPassword, _
                                                strDomain & "\" & strUser, _
                                                strOU, _



0 Comments   [ + ] Show Comments


Please log in to comment



I would use a GPO for this.

Answered 12/17/2012 by: dugullett
Red Belt

  • Thanks, dugullet!
    This seems like a better solution to me. I'll talk to the AD admin about that.

  • It looks like we already use a GPO for local admin. That GPO doesn't solve for AD computer object delegation. Our AD admin thinks there's a way to just force inheritance instead of including it in the join domain script.

    I'll post here if we figure it out.

    Thanks again for your help.
  • So if your actual need is to delegate administration privileges over the AD objects for the computers, you wouldn't do that for each object, or at least you would not want to do it that way.

    Desktops should be in a collection of OUs to which the desktop support team is delegated computer object admin privileges. It makes sense to also delegate computer object management to them for the default computer container so that they can move the desktop computers into the appropriate OUs for long-term management, for those time when they are not being added into the correct containers when joined to the domain.
Please log in to comment
Answer this question or Comment on this question for clarity