Sometimes it’s useful to pre-create computer objects in the correct OU before joining them to the domain. This way, you know that they will immediately pick up whatever Group Policies have been assigned to the OU. Of course, you can create the computer objects in AD manually using Active Directory Users and Computers (dsa.msc) or the new Active Directory Administrative Center (dsac). However, if you’ve got more than a few computer objects to create it might be helpful to have a script. Here’s a Powershell 1.0 sample:
##########################################################
# Name: PreSeedComputerObjects.ps1
# Author: Tony Murray
# Version: 1.0
# Date: 12/04/2010
# Comment: PowerShell 1.0 script to
# pre-create AD Computer objects from csv file
#
#########################################################
# Set the target OU where the computer objects will be created
$ComputerOU = [ADSI]“LDAP://OU=Workstations,DC=contoso,DC=com“
# Specify the folder and CSV file to use
$folder = "C:\util\csv"
Set-Location $folder
$csv = Import-Csv “import.csv”
# Parse the CSV file line by line
foreach($line in $csv) {
# Assign variables to each attribute
$ComputerName = $line.ComputerName
$samname = $ComputerName + "$"
$Computer = $ComputerOU.create(“Computer”,”cn=$ComputerName”)
# Populate the minimum set of attributes needed for computer objects
$Computer.put(“sAMAccountName”,$samname)
$Computer.put(“userAccountControl”,4128)
# Commit the changes
write-host "Adding $ComputerName to target OU"
$Computer.setinfo()
# Capture any errors (e.g. object already exists) and move on
trap
{
write-host "Error: $_"
continue
}
}
#End
The format of the CSV file is simply as follows:
ComputerName
<netbios_name_of_computer>
e.g.
ComputerName
wkstn001
wkstn002
wkstn003
The only other point of interest is that we need to define the sAMAccountName and the userAccountControl attributes in the script. The sAMAccountName is simply the NetBIOS name of the machine with a “$” suffix. It is also important to specify an appropriate value for userAccountControl – in this case a decimal value of 4128 which corresponds to 0x1020 (hex) or (PASSWD_NOTREQD | WORKSTATION_TRUST_ACCOUNT ).
As always, please let me know if you can think of ways to improve the script. Yes, that includes you Brandon!
Note: When copying the script from the web site, replace the double-quotes before you try it. WordPress does some funky format changes!
Pingback: AD Goodies 4/15/2010 - The Experts Community
Hey There,
Thanks for sharing this example. Yup, pre-creating a computer account is certainly helpful, especially BEFORE joining them to the domain.
I too occasionally blog on Powershell for Active Directory and would be happy to mention your tip on my blog sometime in the near future.
Thanks again,
– Scotty
SO.. how about changing the user that can add the computer to the domain? The default is Domain Admins, but lets say you had a specific user account used for adding PC to domain and you needed to specify that user account?
Thanks!
SO.. how about changing the user that can add the computer to the domain? The default is Domain Admins, but lets say you had a specific user account used for adding PC to domain and you needed to specify that user account?
Thanks!
As packettracer posted, is it possible to add a security group in the ACL list of the computer created as for allowing the member of that group to join the computer to domain, as its restricted the joining to domain to particular members in a security group.
As packettracer posted, is it possible to add a security group in the ACL list of the computer created as for allowing the member of that group to join the computer to domain, as its restricted the joining to domain to particular members in a security group.
Pingback: Script to change LDAP attributes
Pingback: Script to change LDAP attributes