Join systems to a domain and create KeePass server entries for local admin’s

Please note – this script was updated – you find the updated post here.

One of the challenges in most daily IT operations is onboarding of workstations and servers (respective domain join). Over the years I came across and tried many ways to accomplish this. Today I wanted to share a script and solution others might find helpful, but first lets get down to some theory and background.

The goals and challenges:

• simple domain join after a system was imaged
  • this is in theory possible in a fully automated process via various imaging solutions – I found that WDS (Microsoft Windows Deployment Services are in most cases the easiest way to accomplish this while having the possibility to use this in consulting for various clients, in enterprise for various departments etc. Since Windows 10 came in to the equation some of the automation with WDS became more challenging – so keeping it simple with some additional manual labor is often the easiest way to accomplish this – to simplify the process a PowerShell script became a perfect solution).
• systems should have a local admin account (not administrator / SID 500 / who should remain disabled) with an individual password
  • typing this manual you always risk that the password is misspelled either in your password database or on the actual operating system
  • if you think it is a good idea to have the same password on all your clients I actually suggest you do some security related research!

The PowerShell script below will do the following for you:

1. Ask for the name of the system (this will change the hostname/computername)
2. Ask for credentials for KeePass / Pleasant Password Server
3. Ask for credentials to join the system to the domain
4. Create a local admin user account on the system
5. Generate a password for this account
6. Check if there is an existing KeePass / Pleasant Password Server entry for this system
7. If not – it will proceed and create a entry with the machine name, username, password and various additional information like
   1. manufacturer
   2. model
   3. serial number / service tag
   4. UEFI BIOS Windows license key
   5. MAC addresses of all network cards Windows knows about
8. And finally it will join the domain and put the system right away in to the defined OU

The whole script is only an example – you don’t have to use KeePass / Pleasant Password Server nor is the script perfect for any situation – you can take it and modify it as you need it – point it to various IT Asset databases or let you chose from predefined OUs etc. – adjust it as you needed – in general it is a very useful baseline and I wanted to share it.

One of the challenges is to execute the script as administrator (elevated rights) and as well bypass the script execution restrictions without compromising them in a default image, like disabling this important security feature on the image itself. To accomplish this, a simple CMD-Script actually will execute the PowerShell script. CMD-Script can right-clicked and executed as administrator and gain elevated rights. This is as of today not possible by default with PowerShell scripts (.ps1).

Create the following two files “Execute-DomainJoin.cmd” and “Execute-DomainJoin.ps1” and save them in the same directory or e.g. a portable flash drive. Adjust the PowerShell script so it connects to your domain and local systems.

Please note – this script was updated – you find the updated post here.

Explaining, adjusting and guiding your through the PowerShell script

It is important that you understand the script so you can make adjustments to it. I will try to explain everything that is important and reference some line-numbers while doing so.

1. Lines 1-30 are just a general introduction and show some generic information
2. Lines 31-76 hold some functions to generate a password, to bypass some certificate issues etc
   1. Lines 35-38 are worth taking a look at, here are all the characters of the four categories that will be used to generate a password. Excluded are already usually hard to read characters in some fonts and other characters that might cause issues – of course, adjust especially line 38 to your preferences and add more symbols or remove what you don’t want to use
3. Lines 77-89 are just informational
4. Lines 90-96 expect some user-input
   1. new computername
   2. get credentials for the domain join (admin)
      1. the script will not validate the credentials, in theory this could be done but I never found it that important
   3. get credentials to read/write on the password database server (often not the actual admin-credentials, therefor I separated those two)
      1. the script will not validate the credentials, in theory this could be done but I never found it that important
   4. the local admin username that will be created
      1. $localAdminUser = $(“$ComputerName” + “_Admin”)
      2. the above line will create a hostname_admin account – you can adjust this to your preferences
   5. 94-95 will generate a password and encrypt it so it can be used to create the local account
5. Lines 97-103 are just informational
6. Lines 104-216 – this is actually the whole password server communication and entry check and generation
   1. 104-115 those lines gather various information from your current system like serial number, UEFI Windows keys, etc. – you can keep em as is
   2. 116 – please enter the URL to your password server here 
   3. 117 – here your need to enter the folder where the generated credentials are going to be put in on your password server
   4. 118 – this is the subject of the entry that will be generated – adjust this to your preferences
   5. 119-120 – those are username/password for the entry – you should leave this as is
   6. 121-134 – those lines are the details in your password server entry – adjust them to your likes
   7. 135-165 – this actually will execute the following on the REST API on your password server
      1. connect to it
      2. check if a entry with the same username already exists
   8. 166-189 – this will raise an alert that this user already exists on your password server – 189 will actually exit the whole script
   9. 190-216 – this block will write to the password server – cause it did not find an entry with the new username
7. Lines 217-241 this shows the new created username and password – it actually suggests you compare the entries on your password server to the information shown to make sure everything is correct
8. Lines 242-251 will create the new local admin account on the system and set the password
9. Lines 252-267 are informational
10. Line 268 will execute the actual domain join
    1. please adjust the -Domain and the -OUPath parameter to your specific needs
    2. note that the command will automatically restart the system
11. Lines 269-282 Those lines are informational – actually – if anything would go wrong those lines would be shown and help to take further steps after the failed domain join – in most cases those suggestions will help – in the end the error output shown by the command for the domain join (line 268) would indicate what went wrong. The restart of the system actually would bypass this message in the end (more or less)

If you have any questions, feel free to reach out to me. The script could be cleaned up more – but I wanted to provide a working version of it – so I just did a quick clean up or some special stuff and posted it here. Personally I like things a bit more structured, but as said – this is just a general example.

Please note – this script was updated – you find the updated post here.

This script is also mentioned on the API Examples page on the Pleasant Solutions web site here.

Tags: active directoryautomatedomain joinpassword