Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, June 1, 2018 9:07 AM
Hello, I'm having issues with removing a computer from AD group after in-place upgrade has completed upgrade process in Task Sequence. Seems like the connection to the domain is lost after upgrade itself is finished. So the script in TS wont remove computer from AD group. Script itself is working fine while its connected to domain. So, is there a way to reconnect to domain in TS, or boot into windows with admin that the connection would come back up and proceed with TS, or is there some other way how to fix this?
All replies (4)
Friday, June 1, 2018 11:37 AM
How does your script looks like (the one removing the computer from the AD group)?
How does your IPU task sequence looks like and how is the script run?
Martin Bengtsson | Blog: www.imab.dk | Twitter: @mwbengtsson
If a post helps to resolve your issue, please remember to click Mark as Answer.
Friday, June 1, 2018 12:51 PM
Script looks like this:
#Get computer name
$ComputerName = gc env:computername
#Check to see if computer is already a member of the group
$isMember = new-object DirectoryServices.DirectorySearcher([ADSI]"")
$ismember.filter = “(&(objectClass=computer)(sAMAccountName= $Computername$)(memberof=CN=OSUpgrade,OU=Computers,OU=Functional,OU=Groups,OU=Global,DC=ad,DC=upgrade,DC=eu))”
$isMemberResult = $isMember.FindOne()
#If the computer is a member of the group.
If ($isMemberResult)
{
$searcher = new-object DirectoryServices.DirectorySearcher([ADSI]"")
$searcher.filter = “(&(objectClass=computer)(sAMAccountName= $Computername$))”
$FoundComputer = $searcher.FindOne()
$P = $FoundComputer | select path
$ComputerPath = $p.path
$GroupPath = "LDAP://CN=OSUpgrade,OU=Computers,OU=Functional,OU=Groups,OU=Global,DC=ad,DC=upgrade,DC=eu"
$Group = [ADSI]"$GroupPath"
$Group.Remove("$ComputerPath")
$Group.SetInfo()
}
And the TS: https://imgur.com/YKtjIwn
Friday, June 1, 2018 1:02 PM
We had a similar issue and the cause was not the script, but the fact that the account used to run it (as specified in task) in not a local admin. We added two steps to the TS to make it work. Before the "remove computer" task we added a cmd task running the command
net localgroup administrators <domain\user> /add
where the domain and user is whichever user you use to "run as".
After the "remove computer" task we did the opposite:
net localgroup administrators <domain\user> /delete
Friday, June 1, 2018 1:10 PM
> "We had a similar issue and the cause was not the script, but the fact that the account used to run it (as specified in task) in not a local admin. We added two steps to the TS to make it work. Before the "remove computer" task we added a cmd task running the command"
Wow, that's not pretty. If this was me, I would use a webservice to do anything required in AD. I know that won't solve your current issue, but I'd take a closer look at this: https://gallery.technet.microsoft.com/ConfigMgr-WebService-100-572825b2
Nickolaj provides you with an example of how to add a computer to an AD group. There's an option to remove as well: $WebService.RemoveADComputerFromGroup($SecretKey, $ADGroupName, $OSDComputerName)
The stuff in AD is taken care of by the webservice then (which is run under an account which has rights to do stuff in AD)
Martin Bengtsson | Blog: www.imab.dk | Twitter: @mwbengtsson
If a post helps to resolve your issue, please remember to click Mark as Answer.