alexferrie Posted November 8, 2013 Report post Posted November 8, 2013 I'm trying to run a script which will create a group within Active Directory, specific to the server being deployed in an OSD TS, and then add that group to the local admins on the server. The TS completes successfully but the group isn't created, no error is recorded in smsts log file. I can run the script manually on the server after the build completes, so the actual powershell code works, but it fails to do what it's meant to do during OSD. Anyone had any experience of anything similar to this (script is listed below)? #Add Active Directory server admin groups to local administrators#The script connects to AD, checks for the existence of the groups, creates them if necessarry, then adds them to the local admin#If the server is in the Test or Dev domains, the additional Domain Local group to allow for permissions to be granted to prod#domain accounts #check if the Active Directory powershell module has been imported, import if required. if (@(get-module | where-object{$_.name -eq "ActiveDirectory"}).count -eq 0){import-module activedirectory} #set variables to be used in the script$comp = gc env:computername[string]$domainname = (get-addomain -identity (gwmi Win32_ComputerSystem).Domain).NetBIOSName[string]$domaindn=([adsi]("LDAP://ROOTDSE")).defaultnamingcontext$domaindn=$domaindn.tostring().toupper()$path=",OU=Local Server Administration,OU=groups,"+$domaindn$ggroup = "<groupname>-"+$comp$ggroupdn="CN="+$ggroup+$path$dlgroup = "<groupname>-"+$comp+"-L"$dlgroupdn="CN="+$dlgroup+$path switch -wildcard ($domaindn){ "*DEV" {[string]$pdc=(get-addomain <devdomain>).PDCEmulator} "*TEST" {[string]$pdc=(get-addomain <testdomain>).PDCEmulator} "*PROD" {[string]$pdc=(get-addomain <proddomain>).PDCEmulator}} #check for the existence of the AD security group, create it if needed$checkgroup=get-adgroup -server $pdc -filter{name -eq $ggroup}if ($checkgroup -eq $null){ $Description = "Local administration rights to " + $comp dsadd group $ggroupDN -samid $ggroup -desc $Description -s $pdc -u <user> -p <password> start-sleep -seconds 15} # Add AD group to local administrators on the server #check if this is the prod domain, if not then create the domain local groups#if prod then add <server admins> group to local administratorsif($domaindn -ne "<prod domain DN>"){ $checkgroup=get-adgroup -server $pdc -filter {(name -eq $dlgroup)} if ($checkgroup -eq $null) { $Description = "Local administration rights to " + $comp + " for Prod Domain" dsadd group $dlgroupDN -samid $dlgroup -scope l -desc $Description -s $pdc -u <user name> -p <Password> start-sleep -seconds 15 }}else{} Quote Share this post Link to post Share on other sites More sharing options...
Iroqouiz Posted November 11, 2013 Report post Posted November 11, 2013 Are you running the script in the TS as a user who has modify access to the AD? Otherwise the step is run as the System account on the local machine. Quote Share this post Link to post Share on other sites More sharing options...
alexferrie Posted November 11, 2013 Report post Posted November 11, 2013 Hi, the script is run as a user with domain admin rights, but username and password are explicitly provided for the dsadd commands. Quote Share this post Link to post Share on other sites More sharing options...