none
Add computer to a AD security group during Task Sequence

    Question

  • Hello,

    I'm trying to join a pc to an AD security group during a MDT 2012 Task Sequence with a VBS script. I'm running the script during the TS as another user. I'm getting error 0x80004005. I've run the script in Windows as another user the script just works.

    I've tried several things, but I can't let it work.

    I hope someone can help me

    Thank you

    Edward de Ruiter

    Wednesday, February 27, 2013 4:31 PM

Answers

  • I was logged in as a domain admin. I'll try it as a standard user. In the meantime, I've published my script in the Technet Gallery here.

    /Andrew


    Blog: http://scriptimus.wordpress.com

    • Proposed as answer by Nick Ourso Monday, March 4, 2013 8:00 PM
    • Marked as answer by Edward de Ruiter Tuesday, March 5, 2013 10:04 AM
    Monday, March 4, 2013 1:23 PM

All replies

  • Are you running the script before or after the OS is installed? If you are running it before, you might have to run the script on the mdt server using psexec to have access to the full OS for the script to run properly. Second, if you are running it post-os-install, have you paused the mdt process with a command prompt and tried to run the script from there? That can help you greatly to ascertain how the script would be interacting with mdt.

    Mick

    Thursday, February 28, 2013 4:12 AM
  • I'm running the script at the end of the task sequence in Windows. If I run the script as the user outside the Task Sequence in Windows it works. If i run the scripts as a domain admin account in the Task Sequence it also works.

    Thursday, February 28, 2013 8:01 AM
  • That error code is just a generic error. Could you post the command line you are using to call your vbScript.

    Also, post your VBScript in a code block.(Less any sensitive information)

    Running scripts outside the TS are within are very different things.

    /Andrew


    Blog: http://scriptimus.wordpress.com

    Thursday, February 28, 2013 11:37 AM
  • The command line is: cscript %SCRIPTROOT%\addtogroup.vbs "%AD GroupName% . Where %AD GroupName% is the name of the group in AD.

    The script is as follows:

    Const ADS_PROPERTY_APPEND = 3
    Set WshShell = WScript.CreateObject("WScript.Shell")
    
    '----Get Computer DN------
    Set objADSysInfo = CreateObject("ADSystemInfo")
    ComputerDN = objADSysInfo.ComputerName
    strcomputerdn = "LDAP://" & computerDN
    Set objADSysInfo = Nothing
    
    '----Connect AD-----
    Set oRoot = GetObject("LDAP://rootDSE")
    strDomainPath = oRoot.Get("defaultNamingContext")
    Set oConnection = CreateObject("ADODB.Connection")
    oConnection.Provider = "ADsDSOObject"
    oConnection.Open "Active Directory Provider"
    
    '-----Read commandline---
    Set args = WScript.Arguments
    For i = 0 To Args.Count - 1
    addgroup Args.Item( i )
    next
    Function Addgroup(groupname)
    
    '----Get Group DN------
    Set oRs = oConnection.Execute("SELECT adspath FROM 'LDAP://" & strDomainPath & "'" & "WHERE objectCategory='group' AND " & "Name='" & GroupName & "'")
    If Not oRs.EOF Then
    strAdsPath = oRs("adspath")
    End If
    Set objGroup = GetObject (stradspath)
    Set objComputer = GetObject (strComputerDN)
    If (objGroup.IsMember(objComputer.AdsPath) = False) Then
    objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(computerdn)
    objGroup.SetInfo
    End If
    End Function
    
    
    
    

    Thursday, February 28, 2013 1:26 PM
  • How are you setting that environment variable %AD GroupName% 

    I'm thinking that it could be empty during a deployment, hence your error.

    If I'm right then I suggest creating a new property in MDT and calling it within your script using the techniques I've demonstrated here: MDT Scripting: Managing Environment Variables – Part 2

    /Andrew


    Blog: http://scriptimus.wordpress.com

    Thursday, February 28, 2013 3:27 PM
  • It is not a variable. It's the name of the security group in AD.

    I'm sorry for the haziness.

    Thursday, February 28, 2013 5:02 PM
  • I'd be interested in the solution to this, as well. I have a VBScript that will add a machine to a security group for the purposes of DirectAccess, er, access, but I can't run it within a TS, even if I tell the step to "Run As" a user that has access to make those manipulations in AD. The very same script runs fine when it is not a part of a TS.

    -Nick O.

    Thursday, February 28, 2013 9:12 PM
  • I see that this is Jorgen's script for SCCM. He's created it to use a custom property from the command line so you should put the OU in a property.

    example CS.ini:

    [Settings]
    Priority=Default
    Properties=MyCustomProperty, ComputerGroup
    
    [Default]
    OSInstall=Y
    
    ComputerGroup = OU=Computers,OU=IT_Department,OU=Manchester,DC=CONTINUUM,DC=Com

    for the command line  cscript %SCRIPTROOT%\addtogroup.vbs ComputerGroup

    The computer group within the quotes is using the same format that worked on the command line

    Let me know if this works as I haven't tested it in a lab.

    /Andrew


    Blog: http://scriptimus.wordpress.com



    • Edited by Andrew Barnes Sunday, March 3, 2013 4:53 PM removed quotes
    Thursday, February 28, 2013 9:48 PM
  • >> If I run the script as the user outside the Task Sequence in Windows it works. If i run the scripts as a domain admin account in the Task Sequence it also works.

    If you are trying to get it to run without executing the task sequence step as a domain account, then it will be executed as the local SYSTEM account.  Since the "Domain Computers" group will not be default have permissions to modify the AD group, your script will fail.  You should execute the step as a domain service account that only has permissions to modify the membership of that group.

     

    I hope that helps,

     

    Nash


    Nash Pherson, Senior Systems Consultant
    Now Micro - My Blog Posts
    <-- If this post was helpful, please click "Vote as Helpful".

    Thursday, February 28, 2013 10:41 PM
  • This thread this piqued my interest so I've gone back to revisit this. Not to steal the thread from the OP, but I receive an error when attempting to run Jorgen's script.

    Script:C:\Scripts\adgroup.vbs
    Line: 29
    Char: 1
    Error: Invalid procedure call or argument: 'GetObject'
    Code: 800A0005
    Source: Microsoft VBScript runtime error

    That's an error received when attempting to run the script manually from the command line, using a Run As with the appropriate service account. When adding the script to MDT, I receive an "Incorrect function" error, which I assume is related (if not the same error.)


    -Nick O.

    Friday, March 1, 2013 12:25 AM
  • I'm sorry Andrew, I'm not fully understand your answer.
    If I do this in the cs.ini and I use the command as above, where do I specify the AD Security Group?
    Besides it is for computers in different OU's. Herefore I use an MDT database to autotically set the computers in the right OU.

    Thank You!

    Friday, March 1, 2013 8:10 AM
  • Hi Edward,

    My labels were wrong in the above post but I've updated it now.

    Put the target group(s) in the quotes.

    /Andrew


    Blog: http://scriptimus.wordpress.com

    Friday, March 1, 2013 9:59 AM
  • Hi Andrew,
    Unfortunately this doesn't work.
    Still the same error:
    Litetouch deployment failed, Return Code = -2147467259  0x80004005
    Friday, March 1, 2013 1:05 PM
  • Man! I hate when I have to set it up myself in the lab.

    Alright then. Give me a few hours. I've just got to finish some stuff.

    /Andrew


    Blog: http://scriptimus.wordpress.com

    Friday, March 1, 2013 1:15 PM
  • Here's a thought, have you tried using the script as a domain user?


    Blog: http://scriptimus.wordpress.com


    Friday, March 1, 2013 2:06 PM
  • Yes, I run the script as a domain user because of the permissions in AD.
    Friday, March 1, 2013 2:41 PM
  • Also of note is that Jorgen's script doesn't appear to need the full path, just the group. See: http://www.windows-noob.com/forums/index.php?/topic/5342-join-computer-to-ad-security-group-using-vbs-during-os-task-sequence/


    In order to even get the script to run, I had to select "Load the user's profile" on the step Andrew has listed above. At least, the script will attempt to run; it never finishes - "Incorrect function" error message.


    -Nick O.


    • Edited by Nick Ourso Friday, March 1, 2013 4:12 PM
    Friday, March 1, 2013 4:12 PM
  • I tested the solution I posted above and it works fine. Don't need to worry about runas or anything.

    /Andrew


    Blog: http://scriptimus.wordpress.com

    Sunday, March 3, 2013 4:55 PM
  • Strange. The user wasn't domain admin? I can't get it work.
    Monday, March 4, 2013 8:28 AM
  • I was logged in as a domain admin. I'll try it as a standard user. In the meantime, I've published my script in the Technet Gallery here.

    /Andrew


    Blog: http://scriptimus.wordpress.com

    • Proposed as answer by Nick Ourso Monday, March 4, 2013 8:00 PM
    • Marked as answer by Edward de Ruiter Tuesday, March 5, 2013 10:04 AM
    Monday, March 4, 2013 1:23 PM
  • Thanks, Andrew. I was able to get it to work without issue using a service account that had the correct levels of access. Having said that, it ends with a warning that says "Unable to create WebService class" even though the script clearly works. Any ideas? I suppose I could just 'Continue on error' that step of the TS.

    Hopefully, Edward can get it working as well.


    -Nick O.

    Monday, March 4, 2013 6:24 PM
  • That's nothing to do with my script.

    It's the Monitoring Service. It's been enabled but not right. Usually happens when people try it and then turn it off.

    Mark an answer above so we can close this off, pls.

    /Andrew


    Blog: http://scriptimus.wordpress.com

    Monday, March 4, 2013 7:22 PM
  • Hi Edward,  I'm trying to create a vbs script to add computer to the right OU and then a memberof- security group so my network drives will show up. I'm using MDT 2012 and would like to run it through MDT but I'm a little weak when it comes to vbs scripts. It sounds like you have one, if possible could you show me a blue print of a vbs script that will do that and high light where I need to add my OU and username and password.

    Thanks

    Thursday, March 7, 2013 4:16 AM
  • Does this script still work with MDT 2013 Update 1 version 6.3.8298.1000?  I was able to get it tow work under MDT 2013 Update 1 version 6.3.8290.1000, but when I upgraded to the newest MDT, it stopped working.

    Sean

    Wednesday, November 4, 2015 5:27 PM
  • Hi - I have tne MDT 2013 update 2 version where the script fails. Any solution so far ?
    Monday, March 28, 2016 5:40 PM
  • Is it possible to add the current computer to an AD Group based on the OU it is in?
    Saturday, October 21, 2017 6:27 AM
  • Yes, but you would need to implement the necessary logic to accomplish that. I did something similair using PowerShell for a customer a while back.

    Cheers,
    Anton

    Vacuum Breather Blog | Wing Commander Saga | Twitter

    Note: Posts are provided "AS IS" without warranty of any kind. If posts are helpful please don't forget to rate them as "Helpful" or as "Answer".

    Sunday, October 22, 2017 10:15 AM
  • Yeah getting the same error MDT 2013 trying to add a computer to a security group.

    I get an unhandled exception error when I try and manually run it.

    Tuesday, June 5, 2018 11:28 AM
  • Thanx Adrew this did it for me. i did put it at the end of the TS.
    Friday, October 5, 2018 12:31 PM
  • I recently ran into this issue myself. You need to make sure the account you are using has logon rights to the computer itself to use the "run as different user" option for the cmd line task in your task sequence or you will get that 0x80004005 error. And of course make sure that account has rights in AD to add members to the groups.

    I did not want to use a full domain admin account since we are required to use least privileged in our environment. Account is given temporary rights to the local computer and only has rights in AD to those groups.

    A very simple way to handle this is to temporarily add the account to the local admin group using cmd line. Then remove that account after the script has run that adds the computer to the group. So I have 3 steps in the task I use to add computer accounts to AD groups.

    1. Run command line "net localgroup administrators domain\UserLoginName /add"

    2.Run powershell from commmand line "cmd /c "Powershell.exe -ExecutionPolicy ByPass -File AddCompToADgroup.ps1 -GroupNames "group1,group2""

    3. Run command line "net localgroup administrators domain\UserLoginName /delete"

    Plenty of example scripts out there. I took one and modified it to allow for a comma separated list of names.

    Wednesday, October 10, 2018 4:11 PM