locked
Trying to use a task sequence to add a computer to a security group RRS feed

  • Question

  • I am using the following code to try to add a security group to a computer account when I am imaging using MDT 2012.  I get the following errors after the imaging process has completed.  

    Any help would be greatly appreciated.

    Thanks,

    Andy

    Exception calling "InvokeMember" with "5" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))" TaskSequencePSHost 03/24/2015 8:45:29 AM 0 (0x0000)
    At \\AOTWDS01V\DeploymentShare$\Scripts\dagroup.ps1:26 char:2
    +     $UserDN = $SysInfo.GetType().InvokeMember("ComputerName", "GetProperty", $Null, ...
    +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TaskSequencePSHost 03/24/2015 8:45:29 AM 0 (0x0000)
    NotSpecified: (:) [], MethodInvocationException TaskSequencePSHost 03/24/2015 8:45:29 AM 0 (0x0000)
    The following exception occurred while retrieving member "Get": "The specified domain either does not exist or could not be contacted.
    " TaskSequencePSHost 03/24/2015 8:45:31 AM 0 (0x0000)
    At \\AOTWDS01V\DeploymentShare$\Scripts\dagroup.ps1:30 char:2
    +     $strDomainPath = $ORoot.Get("defaultNamingContext")
    +     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TaskSequencePSHost 03/24/2015 8:45:31 AM 0 (0x0000)
    NotSpecified: (:) [], ExtendedTypeSystemException TaskSequencePSHost 03/24/2015 8:45:31 AM 0 (0x0000)
    Exception calling "Execute" with "1" argument(s): "An invalid directory pathname was passed
    " TaskSequencePSHost 03/24/2015 8:45:32 AM 0 (0x0000)
    At \\AOTWDS01V\DeploymentShare$\Scripts\dagroup.ps1:38 char:3
    +         $oRs = $oConnection.Execute("SELECT adspath FROM 'LDAP://$strDomainPath' WHERE ...
    +    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TaskSequencePSHost 03/24/2015 8:45:32 AM 0 (0x0000)
    NotSpecified: (:) [], MethodInvocationException TaskSequencePSHost 03/24/2015 8:45:32 AM 0 (0x0000)

    Param(
    [string[]]$GroupNames,
    [String]$Admin,
    [String]$Password
    )
    if($GroupNames)
    {
    [int] $ADS_PROPERTY_APPEND = 3
    #Get the computer DN
    $SysInfo = New-Object -ComObject "ADSystemInfo"
    $UserDN = $SysInfo.GetType().InvokeMember("ComputerName", "GetProperty", $Null, $SysInfo, $Null)
    $ComputerDN = "LDAP://$UserDN"
    #Get the Domain DN
    $ORoot = [ADSI]"LDAP://rootDSE"
    $strDomainPath = $ORoot.Get("defaultNamingContext")
    #Create ADODB connection
    $oConnection = New-Object -ComObject "ADODB.Connection"
    $oConnection.Provider= "ADsDSOObject"
    $oConnection.Open("Active Directory Provider")
    foreach($groupname in $GroupNames)
    {
    #Get the specefied group
    $oRs = $oConnection.Execute("SELECT adspath FROM 'LDAP://$strDomainPath' WHERE objectCategory='group' AND  Name='$groupname'")
    If (!$oRs.EOF)
    {
    $strAdsPath = ($oRs.Fields |  Select value ).value
    }
    If($strAdsPath)
    {
    If($Admin -and $Password)
    {
    $objGroup = New-Object DirectoryServices.DirectoryEntry($strAdsPath,$Admin,$Password)
    }
    Else
    {
    $objGroup = [ADSI]$strAdsPath
    }
    $objComputer = [ADSI]$ComputerDN
    #verify if the computer is a member of the Group
    If ($objGroup.ismember($objComputer.adspath) -eq $false) 
    {
    #Add the the computer to the specefied group
    $objGroup.PutEx($ADS_PROPERTY_APPEND,"member",@("$UserDN"))
    $objGroup.setinfo()
    }
    }
    }
    }

    Tuesday, March 24, 2015 4:32 PM

All replies

  • Are you sure that particular step of your task sequence is running with the required rights to add the computer to your security group?

    -Nick O.

    Tuesday, March 24, 2015 4:40 PM
  • I'm running it with a service account that has domain admin privileges.  
    Tuesday, March 24, 2015 7:42 PM
  • If you are using UserID UserDomain UserPassword those variables are base64 encoded.  You could decode them via something similar to this:

    https://social.technet.microsoft.com/Forums/en-US/6c11827f-982d-4fa1-a76d-70a615912d62/mdt-2012-automation-example-of-how-to-use-userdomainuserid-userpassword-in-a-script-move-ou?forum=mdt


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, March 24, 2015 8:22 PM
  • I am entering the username and password in the parameter field in the Powershell script properties in plain text.
    Wednesday, March 25, 2015 11:22 AM
  • Another thing you could try is instead of running it as a powershell step, run a command line step and set the user context:

    Powershell.exe -ExecutionPolicy Unrestricted $env:ScriptRoot\whatever.ps1

    Although you might have to use %ScriptRooT%\whatever.ps1


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    • Edited by Ty Glander Thursday, March 26, 2015 11:04 PM added screenshot
    • Proposed as answer by Keith GarnerMVP Friday, March 27, 2015 5:42 AM
    Thursday, March 26, 2015 10:57 PM