0

I am trying to write a powershell script that runs a specific code block as a domain admin and moves a computer to a specific OU.

If I run it as a domain admin, it works fine, but the problem is it usually runs it as a local admin; which obviously won't add the computer to the domain.

So I added the credentials as part of the script, but it doesn't seem to be working.

Here is my code:

CLS

$command = {
# Specify, or prompt for, NetBIOS name of computer.
$Name = $env:COMPUTERNAME

# Retrieve Distinguished Name of current domain.
$Domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Root = $Domain.GetDirectoryEntry()
$Base = ($Root.distinguishedName)

# Use the NameTranslate object.
$objTrans = New-Object -comObject "NameTranslate"
$objNT = $objTrans.GetType()

# Initialize NameTranslate by locating the Global Catalog.
$objNT.InvokeMember("Init", "InvokeMethod", $Null, $objTrans, (3, $Null))

# Retrieve NetBIOS name of the current domain.
$objNT.InvokeMember("Set", "InvokeMethod", $Null, $objTrans, (1, "$Base"))
$NetBIOSDomain = $objNT.InvokeMember("Get", "InvokeMethod", $Null, $objTrans, 3)

# Retrieve Distinguished Name of specified object.
# sAMAccountName of computer is NetBIOS name with trailing "$" appended.
$objNT.InvokeMember("Set", "InvokeMethod", $Null, $objTrans, (3, "$NetBIOSDomain$Name$"))
$ComputerDN = $objNT.InvokeMember("Get", "InvokeMethod", $Null, $objTrans, 1)

#Bind to computer object in AD.
$Computer = [ADSI]"LDAP://$ComputerDN"

#Specify target OU.
$TargetOU = "OU=Block-Policies,OU=Windows 10,OU=LAPTOPS,OU=COMPUTERS,OU=COMPUTER-SYSTEMS,DC=domain,DC=com"

#Bind to target OU.
$OU = [ADSI]"LDAP://$TargetOU"

# Move computer to target OU.
$Computer.psbase.MoveTo($OU)
}

#Credentials
$domain = "domain.com"
$password = "2093dhqwoe3212" | ConvertTo-SecureString -asPlainText -Force
$username = "$domain\DomainAdmin" 
$credential = New-Object System.Management.Automation.PSCredential($username,$password)

#Run the command with escalation
Invoke-Command -Credential credential -ComputerName localhost -ScriptBlock {$command}

I know the credentials work because if I manually type them in and run the script, it works. I have tried using invoke-command as well as 

start-job -ScriptBlock {$command} -Credential $credential

Neither seem to be working for me. The start-job seems to go through, but doesn't actually move the computer. The invoke-command gives me an error. "[localhost] Connecting to remote server localhost failed with the following error message: The client cannot connect to the destination specified in the request ..."

Koobah84
  • 185
  • 2
  • 12
  • Is the `$` missing from `credential` a typo or actually in your code? Is there any reason you're not using the native Active Directory powershell cmdlets? (`Get-ADComputer` etc) – G42 Dec 10 '19 at 00:11
  • Ahh nice catch, but that was actually just a typo on here, I did have it in my original production environment, and it still didn't return anything or do anything. The reason I am avoiding using get-adcomputer, or move-adobject is because these workstations don't have the activedirectory module installed, so I'm using this other method that doesn't require any prerequisites. – Koobah84 Dec 10 '19 at 00:25

0 Answers0