WinBatch Tech Support Home

Database Search

If you can't find the information using the categories below, post a question over in our WinBatch Tech Support Forum.

TechHome

ADSI
plus

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

Adding a Workstation (NT4 and W2k) to the Domain and Specify Correct OU

Keywords:   Adding workstation NT4 and W2k domain specify OU

Question:

Does anyone have an idea how can I join a workstaion to the domain with a script. I want to be able to run the script from the workstaion with the right user ID and password in the script and to create an account in the domain for the workstation and join it automatically. Any help is greatly appreciated.

If it is possible to specify the Correct OU when adding a device to the Win2k Domain then that would be Ideal!

Answer:

Use the dsMoveObj function in the ADSI extender to move the computer from the default location to the desired OU.

Question (cont'd):

The only problem is that on the domain the default computer OU has been set so that no computer objects can be created there. They must be created in the correct OU or an error is generated. So I am looking for a method of joining the computer to the domain by creating the computer object in the correct OU. Currently running netdom with the runhidewait command and piping the output to a text file then parsing the text file to see if successfully joined is the only way that I have found to do this other than going thru the MMC and pre-creating the computer accounts buy hand which leads to errors where the computer name does not match the domain name. So I am looking for a method that would allow me to join the domain in the correct OU with out using Netdom to do so. Thoughts, Suggestions, I am open to trying anything to get away from Netdom.

Answer:

Some Notes:

The dsMoveObj moves an ADSI object from one container to another. The object can optionally be renamed by providing a new name in the third parameter. If you wish to rename an object without moving it, place the path of the object's current parent in the second parameter."

You can use "dsFindPath" to determine the path of an object if you don't know where it is and you can use "dsIsObject" to determine if an object exists, if you known the path.

Here is a sample script:

;********************************************************************
; Declare constants used in defining the default location for the 
; machine account, flags to identify the object as a machine account,
; and security flags. Can be found in constants.wbt
;********************************************************************
UF_WORKSTATION_TRUST_ACCOUNT = 4096 ; This is a computer account that is a member of this domain. 
UF_ACCOUNTDISABLE = 2 ; The user's account is disabled. 
UF_PASSWD_NOTREQD = 32 ; No password is required. 
ACCESS_ALLOWED = 0 ; The ACE is of the standard ACCESS ALLOWED type, where the ObjectType and 
; InheritedOjectType fields are NULL. 
INHERIT_ACE = 2 ; Child objects will inherit this access-control entry (ACE). The inherited 
; ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE flag is set. 
GENERIC_ALL = 268435456 ; The right to create or delete children, delete a subtree, read and write 
; properties, examine children and the object itself, add and remove the 
; object from the directory, and read or write with an extended right. 

;*********************************************************************
;* Set the flags on this object to identify it as a machine account
;* and determine the name. The name is used statically here, but may 
;* be determined by a command line parameter or by using an InputBox
;*********************************************************************

lFlag = UF_WORKSTATION_TRUST_ACCOUNT | UF_ACCOUNTDISABLE | UF_PASSWD_NOTREQD
sComputerName = "TestComputer"

;*********************************************************************
;* Establish a path to the container in the Active Directory where
;* the machine account will be created. 
;* For simplisities sake we are hard coding the path. Normally this
;* is not the best way to do it.
;*********************************************************************

sComputerContainer = "LDAP://myserver/OU=MyOU,DC=myWin2kdomain,DC=mysubdomain,DC=com"

;*********************************************************************
;* Here, the computer account is created. Certain attributes must
;* have a value beforecommitting the object to the Active
;* Directory with dsSetObj
;*********************************************************************

sComputerPath = dsCreateobj(sComputerContainer, "computer", "CN=%sComputerName%")
dsSetProperty(sComputerPath, "samAccountName", "%sComputerName%$")
dsSetProperty(sComputerPath, "userAccountControl", lFlag)
dsSetObj(sComputerPath)

;*********************************************************************
;* Establish a default password for the machine account
;*********************************************************************

sPwd = "%sComputerName%$"
sPwd = StrLower(sPwd)
dsSetPassword(sComputerPath, "", sPwd) 

;*********************************************************************
;* Specify which user or group may activate/join this computer to the 
;* domain. Note that 
;* this is the downlevel naming convention used in this example.
;*********************************************************************

sUserOrGroup = "mydomain\rtest"

;*********************************************************************
;* Bind to the Discretionary ACL on the newly created computer account
;* and create an Access Control Entry (ACE) that gives the specified
;* user or group full control on the machine account
;* Note: the second parameter to the dsCreatSecObj function can have the
;* following values:
;* 1 = Security desciptor.
;* 2 = ACL.
;* 3 = ACE.
;*********************************************************************

secDescriptor = dsGetProperty(sComputerPath, "ntSecurityDescriptor")
dACL = dsGetSecProp(secDescriptor, "DiscretionaryAcl")
ACE = dsCreatSecObj(sComputerPath, 3)

;*********************************************************************
;* Grant Full Control
;*********************************************************************

dsSetSecProp(ACE, "AccessMask", GENERIC_ALL)
dsSetSecProp(ACE, "AceType", ACCESS_ALLOWED)
dsSetSecProp(ACE, "AceFlags", INHERIT_ACE)

;*********************************************************************
;* Grant this control to the user or group specified earlier.
;*********************************************************************

dsSetSecProp(ACE, "Trustee", sUserOrGroup)

;*********************************************************************
;* Now, add this ACE to the DACL on the machine account
;*********************************************************************
dsAclAddAce(dACL, ACE, -1)
dsAclOrderAce(dACL)
dsSetSecProp(secDescriptor, "DiscretionaryAcl", dACL)

;*********************************************************************
;* Commit the security changes to the machine account
;*********************************************************************

dsSetProperty(sComputerPath, "ntSecurityDescriptor", secDescriptor)

;*********************************************************************
;* Once all parameters and permissions have been set, enable the 
;* account.
;*********************************************************************

lFlag = dsGetProperty(sComputerpath, "userAccountControl" )
lFlag = lFlag & (~UF_ACCOUNTDISABLE) 
dsSetProperty(sComputerPath, "userAccountControl", lFlag)

;*****************
;* End Script
;***************** 

Article ID:   W15376
File Created: 2003:05:13:11:27:24
Last Updated: 2003:05:13:11:27:24