Philadelphia Security User Group

I need to add a computer account to a security group via a script post image.  I have the script working, but the computer needs to be on the domain for the script to run.

The problem I'm having is in my imaging job, usually the last thing I run is an apply system config task which joins computer and dumps computer in right OU.  This reboots the computer leaving it at the CTRL ALT DEL screen.  If I add the script task after this, it never runs as if the agent isn't loading because no one is logged in.  

I tried changing the Altiris Agent task to start automatically instead of on a delay, but it still times out.

I tried changing my imaging procedure so the deploy job has credentials to join the domain, but it doesn't join the domain, it stays in workgroup.  I'm not sure why.

The task has to run as part of imaging because the security group is what allows computer to join wifi, it can't run later as part of some managed policies.

Any ideas?  Should the agent not be checking for jobs at startup?

I'm 7.5 SP1 and latest hotfix.

 

Hi,

If problem related to the not-logged-in system state then maybe it is possible to add autologon as a part of imaging, so computer will logon automatically? If that will allow next script task run, then let it do its job, turn-off autologon and restart the PC one more time.

In general, it might be an issue with the switching between different task servers in the middle of job - if job started when client was assigned to the task_server_1 and, by some reasons, during the job execution client start working with the task_server_2 then job will time-out.

Thank you,

Alex.

We only have one server, no separate site/task servers.

The computer auto logs in already, the problem is the system configuration reboots the machine and leaves it logged out and the agent isn't communicating to process anything.

Could you use this temporarily?

https://technet.microsoft.com/en-us/library/bb963905.aspx

appreciate the link @tloenhorst... I could do some scripting to force autologin and then turn it back off I guess, but it surprising to me the agent process doesn't just start at startup.  Why wouldn't we want clients checking in at the fresh login screen?  

all kinds of posts of how to run scripts post domain join with sccm as part of imaging. disappointing. Even if I change my sysprep file to do 2 auto logins instead of 1, it rarely completes properly for whatever reason.  Frustrating.

I have scripts that run after the machine is added to the domain without anyone being logged in! Have you tried running the script with various credentials to see if its a permission issue ?

 

 

Is the Software Management Solution Agent in your image? Perhaps the Task times out waiting for that to install. I always try and join to the domain as part of sysprep using Unattend.xml. Any failure will be in the sysprep logs and the reason is usually fairly clear from there.

Are you 7.5 SP1 HF5?  The script runs fine if I login as a user.  It sure seems like the agent never starts up until someone logs in the first time.

Hi Andy,

The agents are all updated and they're on the image.  I am not sure what's going on, but I agree probably doing domain join during sysprep would be better.

Do you use UnsecureJoin in your unattend?  Lame it looks like if you use credentials it passes them in clear text into the xml file.

I'm on SP1 HF3. MAybe needs the agent updated on the build. Wouldnt be suprised!

It looks like other tasks run fine at startup, I was mistaken on what was actually going on.  For some reason this script task just sits at "Running...." and doesn't finish when part of the image workflow when no user is logged in.

I can run the same script without issue manually, but I believe I was always logged into the workstation when I tested it.  

I also couldn't get the domain join via sysprep to work without putting a password in via clear text (would still like to learn how to do that).

I found a work around though. I changed my unattend file to force 2 auto logins, so after domain join it auto logs in one more time, then runs my script without issue, and I added a restart after that so machine is back to sitting at CTRL ALT DEL when it's done completing its tasks.

Here's my script to add a computer to a security group if anyone should need something similar in the future.  I wish I could credit where I found it.  Make sure you run it with user credentials for someone who can edit the group membership in AD.

Option Explicit

Dim objSysInfo, objComputer, strComputerDN
Dim objComputerGroup

' Retrieve DN if user and local computer.
Set objSysInfo = CreateObject("ADSystemInfo")
strComputerDN = objSysInfo.ComputerName

' Bind to user and computer objects.
Set objComputer = GetObject("LDAP://" & strComputerDN)

' Bind to groups. You must specify the full Distinguished Names.
Set objComputerGroup = GetObject("LDAP://CN=NameOfGroup,OU=OUComputer,OU=NestedOU,DC=company,DC=com")


' Add user and computer to groups, if not already members.
If (objComputerGroup.IsMember(objComputer.AdsPath) = False) Then
objComputerGroup.Add(objComputer.AdsPath)
End If

 

I usually just use an account that only has rights to join the domain in the unattend xml with sysprep and the password should get removed as part of the sysprep process. I've found this method of domain joining to be by far the most reliable.