10 Replies Latest reply on Dec 21, 2009 12:03 PM by AlexandreT

    OSD Preboot – Remove Device from AD Using Netdom

    Apprentice

      Good afternoon all,

      I’m experimenting with an OSD task that deletes the target device from AD using NETDOM in a Pre-boot command and you guessed it, it’s not working!

       

      My preboot command is as so:

       

      netdom remove /d:domain %Computer - Device Name% /ud:domain\username /pd:password

       

      I’ve experimented with hard coding the path to netdom to boot.

       

      So I’m just seeing if anybody has done this before, is it feasible or even if my syntax is correct?

       

      Thanks

      Trent

        • 1. Re: OSD Preboot – Remove Device from AD Using Netdom
          Employee

          To the best of my knowledge netdom /remove can only remove a machine that is currently online. I just tried your syntax (netdom remove /d:domain machinename /ud:domain\username /pd:password) from the command prompt on a normal WinXP machine. The command works if machinename is present on the network and fails ("network path not found") if it isn't. The reason is that a netdom remove doesn't just delete the computer account. It issues RPC calls to machinename to remove it from the domain.

           

          The command line tool that you should be using is dsrm.exe (standard command on Win2k3).

          1 of 1 people found this helpful
          • 2. Re: OSD Preboot – Remove Device from AD Using Netdom
            Employee

            Sorry for giving you false hopes - when I tried dsrm after writing the above, I could not get it to work on WinPE. When I try dsrm under WinPE, it keeps telling me it doesn't like my command line syntax, even though the exact same syntax works under Win2003. Domain membership can't make the difference since the Win2003 on which the command works wasn't a domain member.

            • 3. Re: OSD Preboot – Remove Device from AD Using Netdom
              Apprentice

              Hi Jan,

              Thanks for your efforts; I will have a look as well today or tomorrow.

              It would be great if device removal from AD could be somehow be included in OSD, as it’s a prerequisite (SID’s etc). It would therefore remove a manual task from the re-imaging process. Sounds as if it could be a touch tricky though.

               

              Many Thanks

              Trent

              • 4. Re: OSD Preboot – Remove Device from AD Using Netdom
                ahe Expert

                Hello Trent, Jan,

                 

                one hint: normally it is not necessary to delete a XP machine from AD if you use the same computername.

                 

                On Windows NT 4.0 you must delete it... W2000 we did it too (no idea if it was needed), but on XP not (except we change the name).

                 

                One problem can occur if you've many many domain controllers and their synchronization doesn't work well... but than you've other problems too :-)

                 

                Regards

                Axel

                • 5. Re: OSD Preboot – Remove Device from AD Using Netdom
                  Apprentice

                  Hi ahe,

                  We have a few dc's and a couple on slow links, and its a bit hit and miss with regards to corrupt sids and GPO issues, so as a rule of thumb we delete before imaging.

                  Thanks

                  Trent

                  • 6. Re: OSD Preboot – Remove Device from AD Using Netdom
                    Jared Barneck SupportEmployee

                    Have you tried to use a LOCEXEC command in the script?

                     

                    A LOCEXEC has the Core Server perform an action.  Why have the Core Server send the action to WinPE and then have WinPE do it?  The Core Server could do the action itself.

                     

                    See the Using Custom Scripts document:The specified item was not found.

                     

                     

                    LOCEXEC1234=netdom remove /d:domain %Computer - Device Name% /ud:domain\username /pd:password, STATUS SYNC

                    • 7. Re: OSD Preboot – Remove Device from AD Using Netdom
                      Employee

                      Good thinking - just one thing: unless you'doing a vboot and you issue the netdom remove before the reboot to WinPE, a netdom remove won't work any better from the core server than from WinPE. The problem is that netdom remove wants to talk to the machine being removed. A LOCEXEC of a dsrm should work, however.

                      • 8. Re: OSD Preboot – Remove Device from AD Using Netdom
                        Apprentice

                        Thanks once again. Before i drown myself in notepad, do you have any suggestions on how this could be implemented in an imaging scenario. Would the command suggested just be added to the Preboot section?

                         

                        Thanks

                        Trent

                        • 9. Re: OSD Preboot – Remove Device from AD Using Netdom
                          Jared Barneck SupportEmployee

                          I am sure that the preboot section runs when you PXE boot, however, I am not 100% sure that a LOCEXEC command would be skipped in the preboot command.

                           

                          I would put it right after REMPING=WinPE line.

                           

                          But my curiosity would make me test it as the first line in the script to see if it gets skipped on a Pxe boot.

                          • 10. Re: OSD Preboot – Remove Device from AD Using Netdom
                            AlexandreT Rookie

                            Hi,

                             

                            I Have to delete the computer account for multiple reason and I use a Vbscript just after the sysprep.

                            The name of the computer is injected in the sysprep.

                            there is my vbscript file :

                            On error resume Next

                            Const ADS_SCOPESUBTREE = 2
                            Const ADS_SECURE_AUTHENTICATION = 1

                            Set objConnection = CreateObject("ADODB.Connection")
                            Set objCommand =   CreateObject("ADODB.Command")
                            objConnection.Provider = "ADsDSOObject"
                            objConnection.Properties("User ID") = "yourDomain\youruserName"
                            objConnection.Properties("Password") = "yourPassword"
                            objConnection.Properties("Encrypt Password") = True
                            objConnection.Properties("ADSI Flag") = 1

                            'get the machine name
                            Set objWshNetwork = WScript.CreateObject("WScript.Network")
                            strComputer = objWshNetwork.ComputerName

                            'adress of DC
                            strDomain = "192.168.1.1"


                            objConnection.Open "Active Directory Provider"
                            Set objCommand.ActiveConnection = objConnection

                            'objCommand.Properties("Page Size") = 100
                            'objCommand.Properties("Cache Results") = False
                            'objCommand.Properties("Search scope") = ADS_SCOPESUBTREE


                            'on cherche le compte d'ordinateur dans AD
                            objCommand.CommandText = _
                                "SELECT ADsPath FROM 'LDAP://" & strDomain & "' WHERE objectCategory='computer' " & _
                                    "AND Name='" & strComputer & "'"
                            Set objRecordSet = objCommand.Execute

                            objRecordSet.MoveFirst

                            strADsPath = ""
                            While Not objRecordSet.EOF
                                strADsPath = objRecordSet.Fields("ADsPath").Value
                                objRecordSet.MoveNext
                            Wend
                            If strADsPath = "" Then
                                  'MsgBox "Computer not yet found."

                            'delete computer
                            Else
                                  'MsgBox "Computer path: " & strADsPath
                                  Set objNS = GetObject("LDAP:")

                                  Set objComputer =  objNS.OpenDSObject(strADsPath, "yourDomain\youruserName", "YourPassword",ADS_SECURE_AUTHENTICATION)
                                    objComputer.DeleteObject (0)
                            End If

                             

                             

                            After I use Netdom to join domain in a specific OU.

                            You can  encrypt this file in VBE using  the microsfot script encoder tool from here http://www.microsoft.com/downloads/details.aspx?familyid=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en