3 Replies Latest reply on Jul 15, 2016 2:27 AM by phoffmann

    Deleting an existing Computer from Active Directory during Provisioning

    okhan Rookie

      Hello All,

       

      When re-imaging/provisioning an existing Computer, that is currently joined to our Active Directory, LANDesk provisioning fails on the "Join Domain" task. The reason is that a computer object with the same name already exists in AD.

       

      My goal is to run a script that will delete the existing computer account prior to running the "Join Domain" task in Provisioning. An example given in this thread: Re: Question about unattend.xml states to add ADSI support to the boot.wim and run a VBS script.

       

      My questions are:

      • In which step should this VBS script be run, and what provisioning action should be taken? Execute File, Run command, etc
      • What is the computer variable used by "Device Name Prompter" to record the device name that is entered by our technicians, is it %NAME%, %MACHINENAME%, etc
        • This will help identify what I should put in the "strComputer" variable in the VBS script
      • Lastly, if there is a better way to delete hostname in Provisioning so the AD Join will work smoothly, please let me know your ideas

       

      Example of the VBS to delete computer account from AD:

       

      'Setup Variables
      Const ADS_SCOPE_SUBTREE = 2
      strComputer = "YourComputerName"
      strDomain = "YourDomain"
      strADUser = "YourUserAccountThatHasPermissionsToDeleteObjects"
      strADPass = "YourPassword"

      Set objShell = CreateObject("wscript.shell")


      'Setup ADO connection so that AD can be queried
      Set objConnection = CreateObject("ADODB.Connection")
      objConnection.Provider = "ADsDSOObject"
      objConnection.Properties("User ID") = strADUser
      objConnection.Properties("Password") = strADPass
      objConnection.Properties("Encrypt Password") = True

      'Open ADO Connection
      objConnection.Open "Active Directory Provider"

      'Setup ADO Command
      Set objCommand =   CreateObject("ADODB.Command")
      Set objCommand.ActiveConnection = objConnection
      objCommand.Properties("Page Size") = 100
      objCommand.Properties("Cache Results") = False
      objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE

      'Set Query
      objCommand.CommandText = "SELECT ADsPath FROM 'LDAP://" & strDomain & "' WHERE objectCategory='computer' AND Name='" & strComputer & "'"

      'Execute Query and return LDAP Path
      Set objRecordSet = objCommand.Execute


      'Make sure the LDAP query returns any results.  If not, then the object does not exist in AD and no action required
      If objRecordSet.recordcount > 0 Then
      objRecordSet.Requery
      objRecordSet.MoveFirst
      strADsPath = ""
      'Get the LDAP Path
      While Not objRecordSet.EOF
           strADsPath = objRecordSet.Fields("ADsPath").Value
           objRecordSet.MoveNext
      Wend
      'Retrieve LDAP object, and delete
      If strADsPath <> "" Then
        Set openDS = GetObject("LDAP:")
        Set objComputer = openDS.OpenDSObject(strADsPath, strADUser, strADPass, ADS_SECURE_AUTHENTICATION + ADS_SERVER_BIND)
        msgbox "Got: " & strADsPath
        objComputer.deleteobject (0)
      End If
      End If

        • 1. Re: Deleting an existing Computer from Active Directory during Provisioning
          phoffmann SupportEmployee

          As mentioned / highlighted in a recent Momentum Webinar (link to video & presentation here - [Tech Brief On-Demand Webinar 2016] Provisioning with LANDESK Management Suite - where I brought this exact problem up as an issue, I found 3 different solutions at the time.

           

          After playing about with things, I think the solution from this place is the best - that is 'resetting' a computer account, rather than deleting. And the beauty of it is - it's only a single line of PowerShell at that. The information is described here (3rd party site obviously) - DON’T REJOIN TO FIX: The trust relationship between this workstation and the primary domain failed - and with it being a single line, makes life a lot easier.

           

          If you're on LD 2016, we've even incorporated PowerShell into the WinPE image (as an aside).

           

          This may make life a bit easier on you (plus - it's a single line and "native to the OS") perhaps?

          • 2. Re: Deleting an existing Computer from Active Directory during Provisioning
            okhan Rookie

            phoffmann, thank you for the tip.

             

            • It sounds like the Powershell script will run in the "System Configuration" phase of Provisioning (once Windows has loaded), since the device is named at after unattend.xml
              • or Will this PowerShell script run in the OS Deployment or Post-OS Deployment phases of provisioning?
              • We are running 9.6, do you have instructions on how to add Powershell support to WinPE if necessary?
            • Can we use the -Credential switch to input a username and password, without prompting the technician running the provisioning template?
              • While doing some testing on Windows 7, the credential switch gives us the error below since we are running Powershell 2.0
                "Reset-ComputerMachinePassword : A parameter cannot be found that matches parameter name ‘credential’."
            • Lastly, it looks as if this command must be run on the device if it is already joined to the domain, since these are in the process of being re-imaged, through Provisioning, how can we execute this command without being on the domain?
            • 3. Re: Deleting an existing Computer from Active Directory during Provisioning
              phoffmann SupportEmployee

              So a couple of things ... I'll try to split this into different sections. For easier readability mainly.

               

              • The relevant call ("Reset-ComputerMachinePassword") was only added with PS 3.0
              • Since Windows 7 comes with PS 2.0 by default, you'd need to upgrade / update your image (or patch the WIM) with PS 4.0.
              • As a quick note, since PS 4.0 requires newer versions of .NET as a pre-req, THOSE you cannot install against an off-line WIM image for some reason. You have to install the .NET 4 update "on-line" unfortunately.

               

              • If you're keeping the computer account name identical, I'd probably run it BEFORE you migrate the device ... so regardless of whether you're provisioning old hardware, or replacing it with new - the "easiest" moment to do this, would be to run the script before you power the old box/image off "for the last time".
              • Nothing to stop you from (re-)running the command once you're back in the "fresh" OS. In this particular case, you'd need to be back in "Windows proper", as you'd need to be in the relevant computer account ideally. The "Reset-ComputerMachinePassword" commandlet doesn't have a parameter for "alternate device" (I'm assuming intentionally).

               

              • The WinPE images for 9.6 do not come with .NET / PowerShell - but in this case, I don't think that's a big hindrance, since you'd need to be "in Windows proper" (and not in WinPE). Also, LD 2016's WinPE image is based on Windows 10 - so there's a triple-uplift there (Win10-based, adding .NET, adding PowerShell).
              • I'm not aware of the steps needed to add Powershell to a WinPE image - but in principle, if you can find / research it, there's no reason that you couldn't add it to your existing WinPE images yourself. They're an "open" file format & you can edit them as you feel fit.

               

              • The question about "how do I run this when I'm trying to re-join the domain" is answered above (where the intention is for you to run it on "the old version of the device"). The Powershell thing will require you to be a member of the domain (in some form) already, yes, so that you can talk with the relevant DC (even if that DC doesn't like your computer account at the moment).
              Reset-ComputerMachinePasswor

               

              It was meant to show that there are alternative ways to deleting AD records (which can screw up a bunch of things, especially for servers) ... so I've been focussing on re-setting accounts in AD, rather than deleting them in recent times.

               

              Hope that helps / clarifies things?