ProblemYou want to join a computer to a domain after the computer account has already been created in Active Directory. SolutionUsing a graphical user interface
Using a command-line interfaceRun the following command to join a computer to a domain: > netdom join <ComputerName> /Domain <DomainName> /UserD <DomainUserUPN> /PasswordD * /UserO <ComputerAdminUser> /PasswordO * /Reboot Using VBScript' This code joins a computer to a domain. ' The JoinDomainOrWorkGroup( ) method was introducted in Windows XP ' so this code works only against Windows XP and Windows Server 2003. ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ComputerName>" ' e.g. joe-xp strDomain = "<DomainName>" ' e.g. rallencorp.com strDomainUser = "<DomainUserUPN>" ' e.g. administrator@rallencorp.com strDomainPasswd = "<DomainUserPasswd>" strLocalUser = "<ComputerAdminUser>" ' e.g. administrator strLocalPasswd = "<ComputerUserPasswd>" ' ------ END CONFIGURATION --------- '######################## ' Constants '######################## Const JOIN_DOMAIN = 1 Const ACCT_CREATE = 2 Const ACCT_DELETE = 4 Const WIN9X_UPGRADE = 16 Const DOMAIN_JOIN_IF_JOINED = 32 Const JOIN_UNSECURE = 64 Const MACHINE_PASSWORD_PASSED = 128 Const DEFERRED_SPN_SET = 256 Const INSTALL_INVOCATION = 262144 '########################### ' Connect to Computer '########################### set objWMILocator = CreateObject("WbemScripting.SWbemLocator") objWMILocator.Security_.AuthenticationLevel = 6 set objWMIComputer = objWMILocator.ConnectServer(strComputer, _ "root\cimv2", _ strLocalUser, _ strLocalPasswd) set objWMIComputerSystem = objWMIComputer.Get( _ "Win32_ComputerSystem.Name='" & _ strComputer & "'") '########################### ' Join Computer '########################### rc = objWMIComputerSystem.JoinDomainOrWorkGroup(strDomain, _ strDomainPasswd, _ strDomainUser, _ vbNullString, _ JOIN_DOMAIN) if rc <> 0 then WScript.Echo "Join failed with error: " & rc else WScript.Echo "Successfully joined " & strComputer & " to " & strDomain end if DiscussionBefore you can join a computer to Active Directory, you must first create a computer account for it as described in Recipe 15.14. At that point you can join the computer to the domain. Using a graphical user interfaceIf you have the correct permissions in Active Directory, you can actually create a computer account at the same time as you join it to a domain via the instructions described in the GUI solution. Since the System applet doesn't let you specify an organizational unit for the computer account, if it needs to create a computer account it will do so in the default Computers container (cn=computers). Using a command-line interfaceThe netdom command attempts to create a computer account for the computer during the join operation if one does not already exist. An optional /OU switch can be included to specify the organizational unit in which to create the computer account. To do so you'll need to have permission to create and manage computer accounts in the OU. There are some restrictions on running the netdom join command against a remote computer. If a Windows XP machine has the ForceGuest security policy setting enabled, you cannot join it remotely. Running the netdom command directly on the machine works regardless of the ForceGuest setting. Using VBScriptIn order for the Win32_ComputerSystem::JoinDomainOrWorkGroup method to work remotely, you have to use an AuthenticationLevel equal to 6 so that the traffic between the two machines (namely the passwords) is encrypted. You can also create computer accounts using JoinDomainOrWorkGroup by including the ACCT_CREATE flag in combination with JOIN_DOMAIN. Just like with the netdom utility, you cannot run this script against a remote computer if that computer has the ForceGuest setting enabled. See AlsoMore information on the ForceGuest setting can be found here: http://www.microsoft.com/technet/prodtechnol/winxppro/reskit/prde_ffs_ypuh.asp, MS KB 238793 (Enhanced Security Joining or Resetting Machine Account in Windows 2000 Domain), MS KB 251335 (Domain Users Cannot Join Workstation or Server to a Domain), MS KB 290403 (How to Set Security in Windows XP Professional That Is Installed in a Workgroup), MSDN: Win32_ComputerSystem::JoinDomainOrWorkgroup, and MSDN: NetJoinDomain |