Sigma Posted July 21, 2013 Report post Posted July 21, 2013 I am running a task sequence to decommission the computers on the network (format disk etc. but no OS installation). During this process I want to disable the computer account in AD on which that task sequence is running. I've written a VB Script that gets the Computer DN, connect to AD and try to disable the object. The script looks something like this: Set objComputer = GetObject( & computerDN ) objComputer.AccountDisabled = True objComputer.Put "Description", "Decommissioned" objComputer.SetInfo When I run this script in task sequence step, it throws "general access denied" error. The script successfully updates description if I remove the line: objComputer.AccountDisabled = True My thoughts are that the Task Sequence runs under "Local System" account and "Local System" account has full permissions on its computer account in AD. Correct me if I am wrong please. I can run the script under any other domain admin account (run as command line) but I don't see any reason to do this if above is true. (and it is true in case if I only update description). Any thoughts/ideas will be much appreciated. This Task Sequence step runs in Full Windows mode (not WinPE). Thanks. Quote Share this post Link to post Share on other sites More sharing options...
kvineets Posted July 23, 2013 Report post Posted July 23, 2013 My thoughts are that the Task Sequence runs under "Local System" account = Correct "Local System" account has full permissions on its computer account in AD = Incorrect Local system account does not have permissions on AD and until and unless its provisioned that way. Quote Share this post Link to post Share on other sites More sharing options...
