Hi,

I need to build a  server using MDT system which log on as local administrator during the build. then I need to move the server from a staging OU to the APP OUT during the automatic build process. I know I have to run it with another admin account that has rights to do so in AD.

I log on to the server with the required admin account and manually execute the script and it worked fine.  However, when create a run command line sequence in MDT and specify it to run with the same admin account then it failed

the error is: Operating System deployement did not complete successfully.....

Litetouch deployement failed, Return Code = *2417467259 0x80004005

Failed to run the action: Move server to AppName OU

Incorrect function. (erro:00000001'Source:Windows)

The execution of the group (task sequence) has failed and the execution has been aborted.

an action failed

Operation aborted (Erro:90004004;Source:windows)

....

Last line is is Error Task Sequence manager failed to execute task sequence. Code 0x80004005

the code below:

$servername = "$env:COMPUTERNAME"

$targetOU = "OU=APPName, OU=Application,OU=Servers, DC=XYX,DC=ABC,DC=DEF"

$serverDistinguishedName = (Get-ADComputer $servername).DistinguishedName

Move-ADObject $serverDistinguishedName -TargetPath $targetOU 

so I am thinking of instead of specify MDT to run the script with admin account, why not use Move-ADObject with -credential parameter.

however, I don't know how to do that.  could you please assist?

is it possible to do the above task with one line?  ie. get the computer name then move it to a selected OU using a specify admin account and password that has rights to do so in AD?

thank you very much for your help in advance.

Regard,

Betrai



Hi Betrai,

it sure is possible to shorten that script or to specify credentials

Get-ADComputer $env:COMPUTERNAME | Move-ADObject -TargetPath "OU=APPName,OU=Application,OU=Servers,DC=XYX,DC=ABC,DC=DEF" -Credential $Cred

Now for this to work, you'd need to have previously created a credentials variable. Interactively, you can do this like this:

$Cred = Get-Credential

If you must use full automation and are set on providing the Password in clear text (very bad idea usually), you can do this like this:

$Cred = New-Object System.Management.Automation.PSCredential("UserName", $SecureStringPassword)

I'm not going to tell you how to create a SecureString-Password, however a little google use will tell you without difficulty. 

Rather, I'd ask myself:

Can't I grant the current user permission to do this?

Well, so long as it is a domain account ('System' from a domain joined computer is a domain account), you can.

Cheers,
Fred

First of all you have to check the ActiveDirectory Module exists on the Machine. Also If you are not in PowerShell v3 then you have to Import-Module before using it.
I think you are on PowerShell v3 & the Module is there, as you tell it works when you interactively run the Script.

Now When you move the Computer to another OU then the Script needs to run with an account which has privileges to do this.

Why don't you set the Task Sequence command activity to use the Account credentials which has the permission to move the Machine to the OU in AD ?

You can use Move-ADObject with -credential parameter but for that you will have to hard code your password in the Script, which is not advised.

Hi,

thank you for you very quick response. it's very much appreciated.

@DexterPOSH, yes, that exactly what was doing. :" set the Task Sequence command activity to use the Account credentials which has the permission to move the Machine to the OU in AD" and it failed with the above mentioned error.

that is why I tested the script by logging on locally to the server with that service account I use in the MDT task sequence, right click on the script and select run with powershell and it worked fine.

@Fred, yes, I instructed MDT to install roles and feature for the active directory module.

I am trying DexterPOSH suggestion ie. use MDT task sequence with admin account but it doesn't work therefore I try to use it with the -credential and yes, it is not a very safe way as it will have that password.

just wonder what I did wrong with my MDT task sequence.  apparently it is not so obvious as MDT task sequence is very black and white. you enter the userid and type in the password and save it.

I will try it again both ways to see which one works best.

thank you very much again for your helps.

Betrai

This should be posted in the deployment forum as MDT has facilities for doing this without AD module as part of the join.

thanks. I will post it to the deployment forum.