Powershell – Specify Credentials to run Powershell Script to Query AD

active-directorycredentialspowershell

I want to run a powershell script to query AD from a machine that is NOT on the domain.

Basically I want to query to see if there is computer account already on the domain for this machine and create it if there is not. Because this has to happen before the machine joins the domain I assume I will need to specify some credentials to enable it to run. (I'm pretty new to Powershell, so apologies if this is a newbie question!)

The script I am using to check the account is below, and then once this has run it will join the domain using the computername specified.

Can you tell me how to specify some domain credentials to run this section of the script as?

Cheers,

Ben

$found=$false
$thisComputer = <SERVICE TAG FROM BIOS>
$ou = [ADSI]"LDAP://OU=My Computer OU,DC=myDomain,DC=com"
foreach ($child in $ou.psbase.Children ) {   
    if ($child.ObjectCategory -like '*computer*') {
        If ($child.Name -eq $thisComputer) {
            $found=$true
        } 
    }
}

If ($found) { <DELETE THE EXISTING ACCOUNT> }

Best Answer

As far as I know, there is no way to pass alternate credentials using the ADSI type accelerator. Two ways you could try to get around this in your code are:

have powershell.exe run as the domain user instead of your local user - this will cause everything in the script to use the domain credentials
use the Invoke-Command cmdlet, which allows you to pass in a script block to execute, and alternate credentials.

I've never tried either of these, so it will take some trial and error.

Another option that could be more flexible for you is to not use the ADSI type accelerator. There are 2 ways to accomplish this.

Use the .NET framework DirectoryService classes. Here is a good article that walks you through this process. It includes an example using alternate credentials.
Use the Quest Active Directory Management cmdlets. These are wrappers around a lot of AD stuff that make a lot of things easier. They also let you pass in alternate credentials.

Related Solutions

Powershell – run AD commands from a standard PowerShell script

DSRM will work fine, too.

However, if you want to stay 100% PowerShell, you can use the ADSI provider to accomplish this natively within PowerShell without modules.

 $computer = "computername"
 $dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()            
 $root = $dom.GetDirectoryEntry()            
 $search = [System.DirectoryServices.DirectorySearcher]$root            
 $search.filter = "(&(objectclass=computer)(name=$computer))"            
 $search.findall() | foreach-object{$_.GetDirectoryEntry() } | foreach-object{$_.DeleteObject(0)}

Powershell – JoinDomainOrWorkgroup Method FJoinOptions help

It looks like this WMI method is just a wrapper around NetJoinDomain, and you'll notice that the 0x04 option isn't documented there, so I don't think it's applicable.

Looking at LMJoin.h in the Platform SDK and the docs for NetUnjoinDomain it says for NETSETUP_ACCT_DELETE 0x04 "the account is disabled when the unjoin occurs" - so it looks like the documentation team got over-zealous and it's only really applicable for unjoin operations.

For more info see the Directory Service Functions docs on MSDN.

Best Answer

Related Solutions

Powershell – run AD commands from a standard PowerShell script

Powershell – JoinDomainOrWorkgroup Method FJoinOptions help

Related Topic