Thursday, February 3, 2011

"Correct" way to programatically join a Windows 7 machine to the domain

What is the preferred method to programatically join a windows 7 machine to the domain?

I want to script this so that when a newly imaged machine is booted up it joins the domain. (I don't want to use Sysprep to do it as there are some other checks I want to run at the same time.)

As far as I can see, I can either use NetDom, or computer-add in Powershell.

Both of these theoretically mean I have to install "extra stuff" on the image, though - either RSAT to use netdom (or I could manually copy just that command) or the AD cmdlets for computer-add.

Anyone have any experience of these, or which is the "better" way? I don't really want to leave the end users with admin tools on their machines.

Thanks in advance,

Ben

From serverfault Ben

  • NETDOM.EXE is all you need. I'd just copy it over and be done with it.

    There's no danger in the user having NETDOM.EXE. The same functionality that NETDOM exposes is available in the GUI anyway. So long as the user doesn't have a domain credential with rights to join / disjoin computers from the domain they can't harm your AD with the NETDOM tool. Likewise, if the user isn't a local Administrator of the PC they can't use NETDOM to make the PC believe it's disjoined from the domain any more than using the GUI tools.

    Just be sure that you're not leaving credentials on the PC, post-imaging, that could give the user privileged access to the AD.

    Chris S : `netdom` is included with Windows 7 by default (in the business versions). Also just a note; by default **any domain user** can join a computer to your domain. Directions for disabling that: http://social.technet.microsoft.com/Forums/en/winserverDS/thread/72448623-3b87-45c4-812e-9a6e0bad6987
    Evan Anderson : @Chris S: Good call on NETDOM being included-- I didn't bother to look because I'm so used to copying it onto XP images as part of the pile of utility files that I end up installing on most XP images. re: any user joining computers to the domain - The uesr would still need "Administrator" rights on the local computer (which, hopefully, they don't have) to affect the computer's domain membership.
    From Evan Anderson

  • PowerShell is on by default in Windows 7, check the Add-Computer cmdlet.

    http://go.microsoft.com/fwlink/?LinkID=135194

    From Shay Levy
Posted by Ku XI at 8:43 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)