Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, October 8, 2013 10:59 PM
How can I query Active Directory from a workgroup computer using Powershell to determine if that workgroup computer is already has a computer object in AD?
The problem I'm trying to solve is this.
I want to ensure that our deploying technicians have created a Computer Object for the target machine prior to deploying and the OSD process performs the "Join Domain" task sequence step against it.
I need to be able to perform the query against AD during Operating system deployment while in WinPE.
I can't simply specify the OU in the "Join Domain" task sequence step, because we have waaay to many possible OU's and new ones are added too frequently. I trust that the techs will have put them computer object in the proper OU. If the object is created I'll just join the machine without specifiying the OU and it will be joined wherever it's already located in AD. If it's not found in AD, I'll simply quit the OSD Task sequence with a nasty note to create the record first using a popup notification I've already created.
All replies (5)
Saturday, October 19, 2013 10:11 PM ✅Answered
Ok, I've found a way to do it using Powershell. I'll post the details later.
Monday, November 11, 2013 4:56 PM ✅Answered | 1 vote
#Prevent display of all errors, not really required
$ErrorActionPreference = "silentlycontinue"
#Create OSD Task Sequence object to create/modify OSD variable values
$TSEnv = New-Object -Comobject Microsoft.SMS.TSEnvironment
#Get tech provided ComputerNamername from a previous task sequence step
$CN = $TSEnv.value("OSDComputerName")
#Get Domain Controller IP Address
$DomainIP = (Test-Connection -ComputerName "YOUR_DOMAINNAME_HERE.com" -Count 1).IPV4Address.IPAddressToString
#Set connection and credential options
$de = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainIP",'YOU_DOMAINNAME_HERE\YOUR_SERVICEACCOUNT_NAME_HERE','YOUR_SERVICEACCOUNT_PASSWORD_HERE_IN_PLAIN_TEXT')
#Configure search filter
$searcher = New-Object System.DirectoryServices.DirectorySearcher($de,"(&(objectCategory=Computer)(CN=$CN))")
#Perform search and get Result
$result = $searcher.FindOne().GetDirectoryEntry()
if ($result)
{
#If Result found
$TSEnv.value("OSDComputerPrestaged") = "TRUE"
} else {
#If Result not found
$TSEnv.value("OSDComputerPrestaged") = "FALSE"
}
Keep in mind you cannot run this script in WinPE during operating system deployment. Apparently not all required components are available to query AD at that stage.
First I set the variable OSDComputerName in the SCCM Computer collection with no value. This will cause the Task sequence to prompt the deploying tech to set the value of the variable when the task sequence starts.
I use the above Powershell script (in a package) in a "Run Powershell script" task sequence step after the OS image is applied and the system has rebooted to Windows while the task sequence is still running just before the application install task sequence steps run. Note: The script doesn't work if still in the WinPE environment.
You then can use the variable OSDComputerPrestaged in a later "Join Domain" task sequence step. Just set the condition of that step to execute if OSDComputerPrestaged = TRUE
The idea is that, if the deploying tech did their job right and prestaged the computer before appearing onsite to deploy the OS then they won't have to worry about joining the machine to the network after the deployment is done... it will just happen automatically.
Tuesday, October 8, 2013 11:47 PM
I assume you're just talking about installations of new client systems. This won't work as long as you don't have any information stored in an attribute of the AD computer object that identifies your client system. If you just create an AD computer account, there's by default no identifier of your client system set (i.e. MAC address).
One option is to use an attribute in the newly created AD computer object. Set there a unique information (i.e. MAC address) as value and then run a script during the task sequence and check if there's a computer account having the MAC address set as value.
Regards,
Michael
Wednesday, October 16, 2013 10:25 PM
I don't think I made this clear. Forget the whole scenario
The first question is. Is it possible to Query AD from a Non Domain Joined Computer ?... for any information.. doesn't matter what it is.
Friday, November 8, 2013 4:26 PM
I've been noodling a similar problem/solution and would love to see how you got this to work, FWIW. :)