14

I have written this short powershell script to rename a computer as part of an MDT task sequence:

Import-Module ActiveDirectory

$AdminUsername = 'domain.com\administrator'
$AdminPassword = 'password' | ConvertTo-SecureString -asPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList $AdminUsername, $AdminPassword              

$Domain = Get-ADDomainController –DomainName domain.com -Discover -NextClosestSite
$Site = $Domain.Site
$DomainComputer = Get-WmiObject Win32_BIOS 
$Serial = $DomainComputer.SerialNumber
$Computername = $Site + "-" + $Serial

Rename-Computer -NewName $Computername -DomainCredential $cred

When MDT runs this task, it runs it as the local administrator. I get the following error when it attempts to load the AD Module.

Warning: Error initializing default drive:  'The server has rejected the client credentials.'.

I can import the module just fine after the task sequence is over from the machine when logged in as a domain admin, but not as the local administrator of the machine. Is there any way to run the MDT task sequence as a domain administrator or elevate the privileges of the local administrator during the task sequence?

Thanks in advance for any help you can provide,

Mx

UPDATE: 10/13/2015

I decided to move away from using the AD module within my MDT script and shortly after posting this devised another way of getting this done. My results with the AD module were unpredictable at best. I wanted to post it here for posterity. I add this to the State Restore > Custom Tasks folder as a "Run Powershell Script" in my MDT task sequence and then add a Restart Computer task directly underneath it. It's been working like a charm on a 1600+ client deployment this past year. 

$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]"Domain"
$context = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($type, "yourdomain.edu", "domainadmin", "yourpasswordhere")
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($context)
$DC = $domain.FindDomainController().Name
$Prefix = $DC.Substring(0,5)
$DomainComputer = Get-WmiObject Win32_BIOS 
$Serial = $DomainComputer.SerialNumber
$Computername = $Prefix + "-" + $Serial
$Password = "yourpasswordhere"
$Username = "yourdomain.edu\domainadmin"
$Computer = Get-WmiObject Win32_ComputerSystem
$Computer.Rename($Computername,$Password,$Username)
Mx Gorply
  • 141
  • 1
  • 4
  • Aren't you kinda missing `$AdminPassword` in the PSCredential ArgumentList ? – Mathias R. Jessen Oct 10 '14 at 15:46
  • Apologies, it is in the actual script, but must have been omitted in the copy and paste. – Mx Gorply Oct 10 '14 at 15:58
  • Do you have the task sequence executing `CMD` or `PowerShell`? If you are executing powershell then try the `cmd` command: `powershell` Also I would check and see if the powershell box is checked on the boot.wim build configuration screen – Elliot Huffman Oct 11 '14 at 11:34
  • @MxGorply Can you confirm: 1. that the script is being executed after Windows starts after OS install like in a State Restore phase or is it in a earlier phase in WinPE or in an OS being refreshed. 2. Before this step is run, have you already executed a join/rejoin domain step. – Bernie White Oct 13 '14 at 23:47
  • @BernieWhite This is running under the "Custom Tasks" folder in the State Restore phase. The machine is joined to the domain as part of the rules execution, so prior to the powershell script running. Oddly enough, despite the error message and not being able use any of the AD commands manually, the machine does rename itself using the AD commands. It's the strangest thing. – Mx Gorply Oct 17 '14 at 13:49
  • 4
    @MxGorply Ah ok, so there is not a problem with the execution of the commands? The warning is because when the module imports it will automatically try to bind using the current credentials which aren't valid, this would be expected. If the commands are running then I would worry about the warning before you supplied credentials. You can use `-WarningAction SilentlyContinue` to supress the message on the import-module command. – Bernie White Oct 19 '14 at 07:43

1 Answers1

2

When you're not logged on as a domain user, you need to explicitly instantiate a PSDrive and then run *-AD* commands from there:

Import-Module ActiveDirectory -WarningAction SilentlyContinue
New-PSDrive -Name AD -PSProvider ActiveDirectory -Server <your DC> -Root //RootDSE/ -Credential $cred
Set-Location AD:
Nicolas Melay
  • 606
  • 5
  • 11