Jump to content


alexferrie

add domain group to local admins using powershell during OSD

Recommended Posts

I'm trying to run a script which will create a group within Active Directory, specific to the server being deployed in an OSD TS, and then add that group to the local admins on the server. The TS completes successfully but the group isn't created, no error is recorded in smsts log file. I can run the script manually on the server after the build completes, so the actual powershell code works, but it fails to do what it's meant to do during OSD. Anyone had any experience of anything similar to this (script is listed below)?

 

#Add Active Directory server admin groups to local administrators
#The script connects to AD, checks for the existence of the groups, creates them if necessarry, then adds them to the local admin
#If the server is in the Test or Dev domains, the additional Domain Local group to allow for permissions to be granted to prod
#domain accounts

#check if the Active Directory powershell module has been imported, import if required.

if (@(get-module | where-object{$_.name -eq "ActiveDirectory"}).count -eq 0)
{
import-module activedirectory
}

#set variables to be used in the script
$comp = gc env:computername
[string]$domainname = (get-addomain -identity (gwmi Win32_ComputerSystem).Domain).NetBIOSName
[string]$domaindn=([adsi]("LDAP://ROOTDSE")).defaultnamingcontext
$domaindn=$domaindn.tostring().toupper()
$path=",OU=Local Server Administration,OU=groups,"+$domaindn
$ggroup = "<groupname>-"+$comp
$ggroupdn="CN="+$ggroup+$path
$dlgroup = "<groupname>-"+$comp+"-L"
$dlgroupdn="CN="+$dlgroup+$path

switch -wildcard ($domaindn)
{
"*DEV" {[string]$pdc=(get-addomain <devdomain>).PDCEmulator}
"*TEST" {[string]$pdc=(get-addomain <testdomain>).PDCEmulator}
"*PROD" {[string]$pdc=(get-addomain <proddomain>).PDCEmulator}
}

#check for the existence of the AD security group, create it if needed
$checkgroup=get-adgroup -server $pdc -filter{name -eq $ggroup}
if ($checkgroup -eq $null)
{
$Description = "Local administration rights to " + $comp
dsadd group $ggroupDN -samid $ggroup -desc $Description -s $pdc -u <user> -p <password>
start-sleep -seconds 15
}

# Add AD group to local administrators on the server

#check if this is the prod domain, if not then create the domain local groups
#if prod then add <server admins> group to local administrators
if($domaindn -ne "<prod domain DN>")
{
$checkgroup=get-adgroup -server $pdc -filter {(name -eq $dlgroup)}
if ($checkgroup -eq $null)
{
$Description = "Local administration rights to " + $comp + " for Prod Domain"
dsadd group $dlgroupDN -samid $dlgroup -scope l -desc $Description -s $pdc -u <user name> -p <Password>
start-sleep -seconds 15
}

}
else
{

}

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.