RE: [ActiveDir] Netdom to Join

[deji]

I have exactly what you are looking for. But describing and commenting it all is such a pain I don’t want to go through the exercise again. I can share the code, but being a spaghetti coder, I’m not sure you’d be able to decode it. I shared it with someone (who shall remain nameless J) on this list and I never heard back. Prolly too much pain in the neck.   So, I’d just describe how I do it. No netdom involved. All VBScript behind an asp page. The whole account creation/deletion login is done using one special account that has the correct permission delegate to it. This account is then used in authenticating against the DCs and doing the task when someone uses the tool. The password for this account is stored in a SQL Database and read on the fly (it’s the best option I had) and then passed into the script.   The ASP page is protected and access to it is by membership in a security group. When we want someone to be able to add a computer to the domain, we add the person to that group. That person can then access the website. When the person accesses the website, the tool grabs the logon credentials, does a lookup on the person’s account to determine the person’s Site and OU. That person is only able to create a computer account in the OU (s)he belongs to. The person agrees to some standard disclaimer, and then types in the name of the computer (s)he wants to create. The tool looks up the name and if there is no match, it creates the account in the appropriate OU. The tool then sets the relevant ACLs on the newly-created object giving THIS user the permission to join the computer to the domain.   The user then logs into the computer (local admin because the computer is not yet in the domain) and runs through the normal join-computer-to-the-domain process. Because the computer account is already pre-created and because the ACEs on the objects already includes this user’s ability to add THIS computer to the domain, this user does not require ANY other special permission in the domain at all.   There are more things I do behind the scene, and there are other versions of this tool for different groups of users who can add computers to the domain. The tools came about because there were many remote locations that did not have any admin on-site, but there was always someone who could follow instructions and use a web page.   Again, I do not have the time to comment or explain the code further. If you want it, just ask.     Sincerely, D�j� Ak�m�l�f�, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, April 08, 2005 8:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join   Thanks for the responses. I spoke too soon. Here is what I want to do: script a means for a generic domain user (created only for this purpose) to join workgroup machines to a domain when logged onto those machines as a local non-admin user.   Here's what I have done: - created a user called "a-domainjoiner". Put this in the User and DomainJoiners groups. - Created a test computer account in OU=test,DC=domain,DC=com - As per David's suggestion, allowed DomainJoiners in the "Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Add workstations to Domain" - ran the following netdom batch from the workstation: net use \\server1\public password /USER:domain\a-domainjoiner netdom \\server1\public\netdom join /d:domain.com %computername% /OU:OU=test,DC=domain,DC=com /ud:domain\domainjoiner /pd:password /reboot /Verbose   When I run this as a workstation User, I get the error: "The computer account rename failed with error 5" “The account already exists”   When I run it as a workstation admin, I get the same thing but "error 2224".   What am I missing here?   TIA   P.S. what do you mean, Freddy?   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, April 08, 2005 6:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join   Also check out computer account permissions when you create them.   Thank you and have a splendid day!   Kind Regards,   Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED]   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Saturday, April 09, 2005 7:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join   Thanks David. That’s what I was looking for.   From: David Aragon [mailto:[EMAIL PROTECTED] Sent: Friday, April 08, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Netdom to Join   Noah,   That depends on what you have "Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Add workstations to Domain" set to allow.    We are a medium sized University and have authorized a group, comprised of specified users from each of the 13 colleges and major divisions on our campus, to do this.  They do not have Administrative authority except within their own OU, and even that is limited to adding computers and creating/editing GPO's within that OU.  Several units Ghost their machines and use Netdom without issue to join them to the Domain.   David Aragon     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Friday, April 08, 2005 2:23 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Netdom to Join Hi –   What are the minimum credentials that a user needs to join a computer to the domain when the computer account is already created? I am trying to script netdom to do this and getting denied if the user has less than administrative access.   Thanks.   -- nme