Gday Everyone,
I am hoping there is a AD Permission + Powershell wizard in here, I am trying to write a script to automate the moving of AD Objects (Specifically Computers in this case) from One OU to another with the MDT service. The specific issue I am trying to solve is with MDT’s Domain unattend.xml install not moving the computer if it already exists in AD event with the MachineObjectOU Parameter defined.
To this end I have created a script “moveou.ps1” that the machine being reimaged will call a machine with PS AD Installed in order to set the location.
Param
(
[parameter(mandatory=$true,HelpMessage="Please, provide the organization unit to be used.")][ValidateNotNullOrEmpty()]$TargetOU,
[parameter(mandatory=$true,HelpMessage="Please, provide the MDT Server to be used.")][ValidateNotNullOrEmpty()]$Server,
[parameter(mandatory=$true,HelpMessage="Please, provide the Username to Connect to MDT Server.")][ValidateNotNullOrEmpty()]$User,
[parameter(mandatory=$true,HelpMessage="Please, provide the Password to Connect to MDT Server.")][ValidateNotNullOrEmpty()]$Password
)
$cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList ($User, (ConvertTo-SecureString -String $Password -AsPlainText -Force))
Invoke-Command -ComputerName $Server -Credential $cred -ScriptBlock {
Get-ADComputer $args[0] -Credential $Using:cred | Move-ADObject -TargetPath $args[1] -Credential $Using:cred
} -Args ($env:COMPUTERNAME, $TargetOU) 2>&1'
As for the security, I have created a service ad account that had delegated permissions via a group
I have one OU set with these instructions: Correct Domain Join Account Permissions - SCCM / MDT OS Deployment
and another permissions using a modified version (To Apply a Group Permission Rather then a user permission) of the Set-OUpermissions.ps1 from Github/the MDT Reference Manual
<#
Created: 2013-01-08
Version: 1.0
Author Mikael Nystrom and Johan Arwidmark
Homepage: http://www.deploymentfundamentals.com
Disclaimer:
This script is provided "AS IS" with no warranties, confers no rights and
is not supported by the authors or DeploymentArtist.
Author - Mikael Nystrom
Twitter: @mikael_nystrom
Blog : http://deploymentbunny.com
Author - Johan Arwidmark
Twitter: @jarwidmark
Blog : http://deploymentresearch.com
#>
Param
(
[parameter(mandatory=$true,HelpMessage="Please, provide a name.")][ValidateNotNullOrEmpty()]$Account,
[parameter(mandatory=$true,HelpMessage="Please, provide the organization unit to be used.")][ValidateNotNullOrEmpty()]$TargetOU
)
# Start logging to screen
Write-host (get-date -Format u)" - Starting"
# This i what we typed in
Write-host "Account to search for is" $Account
Write-Host "OU to search for is" $TargetOU
$CurrentDomain = Get-ADDomain
$OrganizationalUnitDN = $TargetOU+","+$CurrentDomain
$SearchAccount = Get-ADGroup $Account
$SAM = $SearchAccount.SamAccountName
$UserAccount = $CurrentDomain.NetBIOSName+"\"+$SAM
Write-Host "Account is = $UserAccount"
Write-host "OU is =" $OrganizationalUnitDN
dsacls.exe $OrganizationalUnitDN /G $UserAccount":CCDC;Computer" /I:T | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":LC;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":RC;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WD;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WP;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WP;name;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WP;Name;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WP;distinguishedName;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":RP;;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":CA;Reset Password;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":CA;Change Password;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WS;Validated write to service principal name;Computer" /I:S # | Out-Null
dsacls.exe $OrganizationalUnitDN /G $UserAccount":WS;Validated write to DNS host name;Computer" /I:S | Out-Null
dsacls.exe $OrganizationalUnitDN
The Resulting Permissions for my Staging OU (“LostAndFound”) are:
#LOST AND FOUND
ActiveDirectoryRights : ReadProperty, WriteProperty, GenericExecute
InheritanceType : All
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
ActiveDirectoryRights : ReadProperty, WriteProperty, GenericExecute, WriteDacl
InheritanceType : Descendents
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags : InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType : All
ObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
ActiveDirectoryRights : Self
InheritanceType : Descendents
ObjectType : f3a64788-5306-11d1-a9c5-0000f80367c1
InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
ActiveDirectoryRights : Self
InheritanceType : Descendents
ObjectType : 72e39547-7b18-11d1-adef-00c04fd8d5cd
InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
ActiveDirectoryRights : ExtendedRight
InheritanceType : Descendents
ObjectType : 00299570-246d-11d0-a768-00aa006e0529
InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
ActiveDirectoryRights : ExtendedRight
InheritanceType : Descendents
ObjectType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
The Persmission for the standard Office OU is:
#OFFICE
ActiveDirectoryRights : ReadProperty, WriteProperty, GenericExecute
InheritanceType : All
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : None
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
ActiveDirectoryRights : ReadProperty, WriteProperty, GenericExecute, WriteDacl
InheritanceType : Descendents
ObjectType : 00000000-0000-0000-0000-000000000000
InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags : InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType : All
ObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
InheritedObjectType : 00000000-0000-0000-0000-000000000000
ObjectFlags : ObjectAceTypePresent
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : None
ActiveDirectoryRights : Self
InheritanceType : Descendents
ObjectType : f3a64788-5306-11d1-a9c5-0000f80367c1
InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
ActiveDirectoryRights : Self
InheritanceType : Descendents
ObjectType : 72e39547-7b18-11d1-adef-00c04fd8d5cd
InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
ActiveDirectoryRights : ExtendedRight
InheritanceType : Descendents
ObjectType : 00299570-246d-11d0-a768-00aa006e0529
InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
ActiveDirectoryRights : ExtendedRight
InheritanceType : Descendents
ObjectType : ab721a53-1e2f-11d0-9819-00aa0040529b
InheritedObjectType : bf967a86-0de6-11d0-a285-00aa003049e2
ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : [DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]
IsInherited : False
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
Permissions where queried using the following command:
(Get-Acl -Path "AD:\[DN OF OU]").Access.Where({$_.IdentityReference -eq "[DOMAIN]\[PERMISSION GROUP TO JOIN PC TO DOMAIN]"})
When I attempt to run moveou.ps1 from Office to Staging I get the following error:
Access is denied
+ CategoryInfo : PermissionDenied: ([DN OF TEST MACHINE]) [Move-ADObject], UnauthorizedAccessException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.UnauthorizedAccessException,Microsoft.ActiveDirectory.Management.Commands.MoveADObject
+ PSComputerName : [RSAT Access Server]
But if I move from Staging to Office, it works!.
I have confirmed based on the https://social.technet.microsoft.com/wiki/contents/articles/20747.delegate-moving-user-group-and-computer-accounts-between-organizational-units-in-active-directory.aspx that both OU’s permissions required
What Have I missed?
Thank you for any assistance,
The Fat Hacker