locked
Create scheduled task that executes as a domain user on a workgroup computer RRS feed

  • Question

  • I am running a script using the local Administrator account. This script prompts for credentials with Get-Credential, and I want to create a scheduled task that uses those credentials.  I've tried but it fails with "No mapping between account names and security IDs was done".

    Here's an abbreviated version of my script:

            $TaskName = 'Refresh-ADComputer'
            $MyCredentials = Get-Credential
            $Username = $MyCredentials.UserName
            $Password = $MyCredentials.Password
            $Trigger = New-ScheduledTaskTrigger -AtLogOn
            $Action = New-ScheduledTaskAction -Execute 'Notepad.exe' -Argument "C:\Stuff\Readme.txt"
            Register-ScheduledTask -TaskName $TaskName -Trigger $Trigger -Action $Action -User $Username -Password $Password

    I'm not really trying to execute notepad, but you get my point.

    My ultimate goal is this to be able to remove the local computer from the domain, possibly rename it, and add it back into the domain.  I was planning on managing this process by using a scheduled task that runs when a user logs on.  As each step in the remove/rename/add process was completed, I would update the scheduled task so that my script would execute the correct step after the system was reboot.

    Wednesday, October 11, 2017 3:21 PM

All replies

  • You cannot prompt for credentials in a scheduled task.

    Why would you want to do this.  It is not necessary to rejoin the domain on every user logon.


    \_(ツ)_/

    Wednesday, October 11, 2017 4:36 PM
  • Sorry.  I didn't make that very clear.

    I am running a powershell script manually using the local Administrator's account.  This script prompts me for credentials that I want to use to execute a scheduled task because, after one or two reboots, I'm going to need a domain account when it comes time to add the computer back into the domain.

    Wednesday, October 11, 2017 6:03 PM
  • You cannot automate this as you wish.  Best to post in deployment forum to get guidance on how to do what you are doing.  Why do you have to remove the computer from the domain.  What installation instructions do you have that says you must do this.

    If you are an admin a scheduled task can be defined to run under an admin account.  If you are an admin you can add a computer to the domain in one command by supplying domain admin credentials or any credential that allows joining a computer. 

    You can also post in Directory Services forum to learn how to join a computer from a standard user account.

    You can rename a computer from a command prompt in one command.  No need for a scheduled task.

    help rename-computer -full

    In any case your question is still way to vague to guess at a more complete answer.


    \_(ツ)_/

    Wednesday, October 11, 2017 6:20 PM
  • I have a couple of scenarios where this would be helpful.

    I have test VMs that I snapshotted when they were pristine.  That snapshot is 2 weeks old, so when I roll back, the trust relationship with the domain is broken.  I normally move it into a workgroup, reboot, and add it back into the domain.

    We also use a drive duplicator to configure new machines.  These systems need to be renamed and then joined to the domain, along with a number of other things to prepare them for the user.

    The beauty of a scheduled task is that it would allow my process to resume after the system is rebooted.  I could do this by adding a value to the Run key in the Registry, but I was hoping to take advantage of a scheduled task's ability to execute as a user with the necessary permissions to do what I want to do.

    I guess I could change the permissions on the computer account so anyone could add it back to the domain.  I might look into that.

    Wednesday, October 11, 2017 6:32 PM
  • Just execute "Rename-Computer" with appropriate credentials.  Give user the right to join that computer to the domain.  Research how to "re-connect" a computer to an existing computer account.  What is making this difficult is that you have a very limited understanding of how AD handles this.

    You should post in Hyper-V forum for other methods to rejoin a VM when it is recovered or refreshed.


    \_(ツ)_/

    Wednesday, October 11, 2017 6:36 PM