Script adding domain groups to local groups fails 50% of the time

Question

We have a script that automatically adds a freshly imaged computer to the domain. The functionality of joining the domain is always successful. However, when the script attempts to add the domain groups, it fails 50% of the time. Below is the script. I didn't write it, I just have to figure out why it is failing. I replaced company identifying information. Any ideas?

    On Error Resume Next

Const HKEY_LOCAL_MACHINE = &H80000002
Dim WShell, oReg
Dim intReturn
Dim strComputer, strKeyPath, strPortConf, strValue, strTempDir, strUser, strChassis, strPath
Dim strDomain, strDomainUser, strDomainPW, strDomainOU
Dim booDesktop, booLaptop
Dim strPCName, objWMIService

strDomain = "ourDomain.com"
strDomainUser = "serviceaccountname"
strDomainPW = "serviceaccountpassword"
strDomainOU = "OU=Production,OU=General Workstations,DC=SOMETHING,DC=GOES,DC=HERE,DC=COM"

booLaptop = False
booDesktop = False

Set WShell = Wscript.CreateObject("Wscript.Shell")
Set fs = CreateObject("Scripting.FileSystemObject")

strComputer = "."

strUser = ""
strPath = ""
strTempDir = ""

strPath = GetPath(wscript.scriptfullname)
strTempDir = "C:\Windows\IT\scripts"

If right(strPath,1) <> "\" Then
    strPath = strPath + "\"
End if

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
'------------
' Start code
'------------

Set oReg   = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\default:StdRegProv")

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")
Set colChassis = objWMIService.ExecQuery _
("Select * from Win32_SystemEnclosure",,16)
For Each objChassis in colChassis
  For Each objItem in objChassis.ChassisTypes
    Select Case objItem
    Case 1 booDesktop = True 'Maybe Virtual Machine
    Case 2 strChassis = "??"
    Case 3 booDesktop = True
    Case 4 booDesktop = True
    Case 5 strChassis = "Pizza Box"
    Case 6 booDesktop = True
    Case 7 booDesktop = True
    Case 8 booLaptop = True 'Portable
    Case 9 booLaptop = True 'Laptop
    Case 10 booLaptop = True 'Notebook
    Case 11 strChassis = "Hand Held"
    Case 12 strChassis = "Docking Station"
    Case 13 strChassis = "All in One"
    Case 14 strChassis = "Sub Notebook"
    Case 15 booDesktop = True 'Space-Saving, SFF - Our standard desktop
    Case 16 strChassis = "Lunch Box"
    Case 17 strChassis = "Main System Chassis"
    Case 18 strChassis = "Lunch Box"
    Case 19 strChassis = "SubChassis"
    Case 20 strChassis = "Bus Expansion Chassis"
    Case 21 strChassis = "Peripheral Chassis"
    Case 22 strChassis = "Storage Chassis"
    Case 23 strChassis = "Rack Mount Unit"
    Case 24 strChassis = "Sealed-Case PC"
    End Select
  Next
Next

'Add the machine into the domain if it is a Desktop or a Laptop
If booLaptop Then strDomainOU = "OU=Back Office,OU=Laptops," + strDomainOU
If booDesktop Then strDomainOU = "OU=Back Office,OU=Desktops," + strDomainOU

Set domFile = fs.CreateTextFile( strTempDir + "\dominfo.xml" )

domFile.WriteLine "<?xml version=""1.0"" encoding=""UTF-8""?>"
domFile.WriteLine "<configuration>"
domFile.WriteLine " <DOMAIN>" + strDomain + "</DOMAIN>"
domFile.WriteLine " <USERID>" + strDomainUser + "</USERID>"
domFile.WriteLine " <PASSWORD>" + strDomainPW + "</PASSWORD>"
domFile.WriteLine " <OUTOJOIN>" + strDomainOU + "</OUTOJOIN>"
domFile.WriteLine "</configuration>"
domFile.WriteLine()
domFile.Close()

'Join the Workstation to the Domain
intReturn = WShell.Run(strTempDir + "\jdom /F " + strTempDir + "\dominfo.xml",0, true)

strKeyPath = "SOFTWARE\Novell\Login\TAB SETTINGS\NT Credentials"
oReg.SetDWORDValue HKEY_LOCAL_MACHINE, strKeyPath, "Sync NDS Username", "1"

'Delay the remainder of the script for 30000 milliseconds (30 seconds). 
WScript.Sleep(30000)

'Add the Back Office Admins group to the local administrators group
WShell.Run strTempDir + "\jdom /A ""Back Office - Local Admins"" ""Group"" ",0, true

'Add the Back Office Power Users group to the local Power Users group
WShell.Run strTempDir + "\jdom /P ""Back Office - Power Users"" ""Group"" ",0, true


'*********************
'* Main Join Script  *
'*      (END)        *
'* ----------------- *

Function GetPath(ByVal gpFileName)
on error resume next    
    Dim gpSlash, gpLast

    If IsEmpty(gpFileName) Then
        GetPath = ""
    Else
        gpSlash = InStr(gpFileName, "\")
        gpLast = gpSlash
        Do While gpSlash <> 0
            gpSlash = InStr(gpSlash + 1, gpFileName, "\")
            If gpSlash > 0 Then
                gpLast = gpSlash
            End If
        Loop
        if gpLast = InStr(gpFileName, "\") then gpLast = gpLast + 1
        GetPath = Left(gpFileName, gpLast - 1)
    End If
on error goto 0     
End Function

So you want to add some groups to the local administrators group? Why don't you use a GPO for that? You can find it in: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups. — ZEDA-NL, Mar 27 '12 at 13:01
Normally you need to reboot in order to join a domain, so I'm amazed this works even 50% of the time. — Harry Johnston, Mar 28 '12 at 02:10
@ZEDA-NL I am going through group policy to replace this script when we implement Windows 7 throughout the company. It is in testing right now and has 100% success but the management team is not confident in allowing me to use it because 10 years ago they did the same thing (incorrectly) and locked everyone out of the entire domain because they accidentally removed all admins instead of just adding them. — Kevin Shoaf, Mar 28 '12 at 20:15
@Harry Johnston Amazingly, it used to work 100% of the time. I don't understand why that changed. — Kevin Shoaf, Mar 28 '12 at 20:16
It looks like the actual work is done by the unfortunately named "jdom" script, and that's probably where the trouble lies, not in this code. — Harry Johnston, Mar 28 '12 at 20:41
@KevinShoaf The GPO can remove members form the group indeed, but I think that's a good thing. When you find that too risky though, you can also add group members (without deleting membership) with Group Policy Preferences. Please take a look at Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups. — ZEDA-NL, Mar 29 '12 at 11:25

score 0 · Answer 1 · answered Mar 27 '12 at 20:52

0

it's probably that line that says wscript.sleep(30000). I'd bet the times it fails is because the script resumes execution before the computer is added to the domain. an obvious patch / test would be to up the wait time to a minute or so, but it's less than optimal. maybe something like what zeda proposes in the comments is a better solution. Still, upping the wait time should work as a patch

answered Mar 27 '12 at 20:52

Nicolas Straub

131
5

Actually, the wait time was added when the issue started. We've upped it to 15 minutes and it still occured. – Kevin Shoaf Mar 28 '12 at 20:13

score 0 · Answer 2 · answered Apr 18 '12 at 16:52

We took out the group additions and went with group policies. We found the issues with the groups being added via script to be latency in the domain controllers. Until it can be resolved, there was no solution other than group policies, which it should have been to begin with.

Script adding domain groups to local groups fails 50% of the time

2 Answers2