locked
MDT2013 - Move Computer from one main OU to specified application OU error: Incorrect function. (Error:00000001;source:Windows) RRS feed

  • Question

  • Hi,

    I am new to MDT in general and totally new to MDT2013 and need helps please.

    Our existing MDT 2013 system is setup to build computer to main OU where all the rules has been relax. ie. almost free of restrictions. it is done form the rules of the deployment share

    there are different type of servers hence changing the master OU where MDT join and place the computer will affect all the build. My server build is specific to an application hence I want to move the server to its OU where I got customised GPO setup for it and I want to do it as a task sequence specifically setup for it

    I setup a task sequence running as a command line to execute a powershell script and run as an admin account that has the privilege to this moving computer to another OU. (I proved that the script is working by logging on to the server locally with the same admin account and run the script and it worked fine)

    however, when run it with MDT, the task failed with this error:  Incorrect function. (Error:00000001;source:Windows). The execution of the group (groupname) has failed and the execution has been aborted. An action failed. Operation aborted (Error:8004004;Source:Windows). Task Sequence Engine failed! code:enExecutionFail. Task sequence execution failed with error code 8004005...

    May I have some helps with this please?

    Thanks

    BeTrai

    here is my script to move the OU: ( I ran it with Set-ExecutionPolicy Bypass)

    $servername = "$env:COMPUTERNAME"

    $targetOU = "OU=APPName, OU=Application,OU=Servers, DC=XYX,DC=ABC,DC=DEF"

    $serverDistinguishedName = (Get-ADComputer $servername).DistinguishedName

    Move-ADObject $serverDistinguishedName -TargetPath $targetOU 

    Friday, February 20, 2015 1:40 PM

All replies

  • Hi,

    I need to build a  server using MDT system which log on as local administrator during the build. then I need to move the server from a staging OU to the APP OUT during the automatic build process. I know I have to run it with another admin account that has rights to do so in AD.

    I log on to the server with the required admin account and manually execute the script and it worked fine.  However, when create a run command line sequence in MDT and specify it to run with the same admin account then it failed

    the error is: Operating System deployement did not complete successfully.....

    Litetouch deployement failed, Return Code = *2417467259 0x80004005

    Failed to run the action: Move server to AppName OU

    Incorrect function. (erro:00000001'Source:Windows)

    The execution of the group (task sequence) has failed and the execution has been aborted.

    an action failed

    Operation aborted (Erro:90004004;Source:windows)

    ....

    Last line is is Error Task Sequence manager failed to execute task sequence. Code 0x80004005

    the code below:

    $servername = "$env:COMPUTERNAME"

    $targetOU = "OU=APPName, OU=Application,OU=Servers, DC=XYX,DC=ABC,DC=DEF"

    $serverDistinguishedName = (Get-ADComputer $servername).DistinguishedName

    Move-ADObject $serverDistinguishedName -TargetPath $targetOU 

    so I am thinking of instead of specify MDT to run the script with admin account, why not use Move-ADObject with -credential parameter.

    however, I don't know how to do that.  could you please assist?

    is it possible to do the above task with one line?  ie. get the computer name then move it to a selected OU using a specify admin account and password that has rights to do so in AD?

    thank you very much for your help in advance.

    Regard,

    Betrai

    

    • Merged by AnnaWY Monday, March 9, 2015 9:49 AM duplicate
    Friday, February 20, 2015 6:58 AM
  • Hi Betrai,

    it sure is possible to shorten that script or to specify credentials

    Get-ADComputer $env:COMPUTERNAME | Move-ADObject -TargetPath "OU=APPName,OU=Application,OU=Servers,DC=XYX,DC=ABC,DC=DEF" -Credential $Cred

    Now for this to work, you'd need to have previously created a credentials variable. Interactively, you can do this like this:

    $Cred = Get-Credential

    If you must use full automation and are set on providing the Password in clear text (very bad idea usually), you can do this like this:

    $Cred = New-Object System.Management.Automation.PSCredential("UserName", $SecureStringPassword)

    I'm not going to tell you how to create a SecureString-Password, however a little google use will tell you without difficulty. 

    Rather, I'd ask myself:

    Can't I grant the current user permission to do this?

    Well, so long as it is a domain account ('System' from a domain joined computer is a domain account), you can.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Friday, February 20, 2015 7:19 AM
  • First of all you have to check the ActiveDirectory Module exists on the Machine. Also If you are not in PowerShell v3 then you have to Import-Module before using it.
    I think you are on PowerShell v3 & the Module is there, as you tell it works when you interactively run the Script.

    Now When you move the Computer to another OU then the Script needs to run with an account which has privileges to do this.

    Why don't you set the Task Sequence command activity to use the Account credentials which has the permission to move the Machine to the OU in AD ?

    You can use Move-ADObject with -credential parameter but for that you will have to hard code your password in the Script, which is not advised.

    Knowledge is Power{Shell}

    DexterPOSH

    My Blog

    Friday, February 20, 2015 7:21 AM
  • Hi,

    thank you for you very quick response. it's very much appreciated.

    @DexterPOSH, yes, that exactly what was doing. :" set the Task Sequence command activity to use the Account credentials which has the permission to move the Machine to the OU in AD" and it failed with the above mentioned error.

    that is why I tested the script by logging on locally to the server with that service account I use in the MDT task sequence, right click on the script and select run with powershell and it worked fine.

    @Fred, yes, I instructed MDT to install roles and feature for the active directory module.

    I am trying DexterPOSH suggestion ie. use MDT task sequence with admin account but it doesn't work therefore I try to use it with the -credential and yes, it is not a very safe way as it will have that password.

    just wonder what I did wrong with my MDT task sequence.  apparently it is not so obvious as MDT task sequence is very black and white. you enter the userid and type in the password and save it.

    I will try it again both ways to see which one works best.

    thank you very much again for your helps.

    Betrai

    Friday, February 20, 2015 10:12 AM
  • This should be posted in the deployment forum as MDT has facilities for doing this without AD module as part of the join.

    ¯\_(ツ)_/¯

    Friday, February 20, 2015 11:06 AM
  • thanks. I will post it to the deployment forum.
    Friday, February 20, 2015 1:19 PM
  • I have worked that out. there are two things wrong. well one is wrong and the other one I just sort of pick it up guessing. If someone can explain that it would be much appreciated. thanks.

    1. the error is there is a couple of space after the "," in $targetOU line. MDT didn't like it for some reason. I can't work out why I ran it manually and it worked! or may be it doesn't really matter.  Anyway, I removed the space it

    2. I instructed MDT to run the task sequence that to pick up the script from a network drive that I mapped during the build.  I corrected by create another task sequence to copy it to local C:\Temp then modify the task sequence to move the server to diffrent OU running the script from C:\temp

    and it worked.

    Thanks for reading.

    Betrai

    • Proposed as answer by fapw Saturday, February 21, 2015 3:01 PM
    Friday, February 20, 2015 3:27 PM
  • Hello, Betrai.

    I think, it happens because when running locally COMPUTERNAME variable is defined right or assigned manually. But during OSD process variable COMPUTERNAME is something like this MININT-DRKFJ2S.

    Of course, if you did not set it with MDT DB, for example. This variable is used only for MDT internal needs.

    Try to use variable OSDComputerName - name that will be assigned to computer after OSD process.

    $servername = "$env:OSDCOMPUTERNAME"
    Hope this will help.
    Friday, February 20, 2015 4:30 PM
  • Hello, Betrai.

    If I want to use powershell script I always create task Run Powershell Script. Then put script in %Deployroot%\Scripts folder. In TS write %Deployroot%\Scripts\<script.ps1>. No need to map network drive. Always works.

    Saturday, February 21, 2015 3:03 PM