Add computer account to Active Directory Group

[wibbe]

Hi,

I found out that this was a bit more tricky then expected.

I use ADS to deploy servers and ADS is using an agent on the remote servers to execute commands.
This service is running as system and can not be changed.

I need the the service to run a VBScript to join the computeraccount to some active directory groups.
But the Local System account does not have permissions in Active directory to do this.

I can mask username and password and send it to the ADS service over a secure channel, but I can not write a VBScript to use diffrent credentials.

I have tried write one script to use RunAs.exe to execute a secondary script that will perform the action. But I can not pass the password to the runas command. It is terminating before I can input keystrokes to the process.

I have also tried to use "impersonate" to create a connection to Active directory as the service account, but without success.

Does anyone have any good ides?
One limmitation is that it can not be any manual taskes, since this is running off houres and on a huge amount of servers in oure datacenter.

Best Regards
Wibbe

 

[mrmovie]

<qoute>"I use ADS to deploy servers and ADS is using an agent on the remote servers to execute commands.
This service is running as system and can not be changed."

the above statement is not true, change your ADS service to run under an account with the relevant priv;s, its sneaky to do but can be done... (using bmcp commands)

if not ADS comes with a runas command of its own "adsrunas" but you shouldnt need to use it

i would strongly advise against running ADS using system account, you have all sorts of issues with using softwarepools to run scripts from etc etc

 

[mrmovie]

sendkeys will only work if you set your service to run interactively with the desktop which is not the default.

 

[wibbe]

Thanks for the reply mrmovie.

To change the account for the ADS agent was oure primary solution, but it never reconnected to the ADS server again afterwards.

This was an attemt to find a workaround

I will check the "adsrunas" command you talked about.

 

[mrmovie]

'you need to do the following:
'bare in mind that E is a local drive on the ADS box
'when the box comes back up all should be working fine
'you need an account with the same creditials on your softwarepool so you can access scripts for pass through etc

<task doesReboot="false" timeout="0" description="creates adsagent passthrough account">
<command delivery="bmcp">E:\...\create_serviceaccount.vbs</command>
<parameters>
<parameter>adsagentacc</parameter>
<parameter>$controller.user.agentpwd$</parameter>
</parameters>
</task>

<task doesReboot="false" timeout="0" description="sets adsagent passthrough account">
<command>%systemdrive%\ntrights.exe</command>
<parameters>
<parameter>-u</parameter>
<parameter>adsagent_acc</parameter>
<parameter>+r</parameter>
<parameter>SeServiceLogonRight</parameter>
</parameters>
</task>

<task doesReboot="false" timeout="0" description="sets adsagent passthrough account">
<command delivery="bmcp">E:\.....\set_serviceaccount.vbs</command>
<parameters>
<parameter>.\adsagent_acc</parameter>
<parameter>$controller.user.agentpwd$</parameter>
</parameters>
</task>

<task doesReboot="true" timeout="0" description="Reboot">
<command>/bmonitor/reboot</command>
</task>
<task doesReboot="false" timeout="0" description="Boot to hard disk">
<command>/pxe/boot-hd</command>
</task>

 

[wibbe]

Ok.Thanks.
I will try that too.

The AdsRunAs was an easy solution as well.I have tried it and it worked fine.

/ Wibbe