0

I was wondering if it’s possible to make an unattended Domain Join in Windows. Let’s say I have my computer object set up in my Active Directory. Each computer object has its own machine password. I was wondering ,even though it’s not possible to read out this password, if it’s possible to use an unattend.xml file or a script that allows my pc to join the domain because the pc name is set up in the AD, so it reads out the machine password and connects. Thanks for any answers

xmepl
  • 3
  • 1
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. – Community May 31 '23 at 18:24

1 Answers1

0

It's possible to do that, similarly to what you describe.

This question has been asked in various posts. Here is an example unattend.xml fragment that you may modify as required, as it will at least show you one solution for doing this:

<FirstLogonCommands>
    <SynchronousCommand wcm:action="add">
        <CommandLine>ipconfig /registerdns</CommandLine>
        <Description>registerdns</Description>
        <Order>1</Order>
        <RequiresUserInput>true</RequiresUserInput>
    </SynchronousCommand>
    <SynchronousCommand wcm:action="add">
        <Description>Join Domain</Description>
        <Order>2</Order>
        <RequiresUserInput>true</RequiresUserInput>
        <CommandLine>CMD /C &quot;powershell add-computer -domainname domain.wan -cred (get-credential domain.wan\todomainuser) -newname (Read-Host \&quot;PC new name\&quot;) -passthru -verbose;sleep 8&quot;</CommandLine>
    </SynchronousCommand>
    <SynchronousCommand wcm:action="add">
        <CommandLine>CMD /C echo n | gpupdate /force</CommandLine>
        <Description>gpupdate /force</Description>
        <Order>3</Order>
        <RequiresUserInput>true</RequiresUserInput>
    </SynchronousCommand>
    <SynchronousCommand wcm:action="add">
        <CommandLine>wuauclt /resetauthorization /detectnow</CommandLine>
        <Description>Windows Update</Description>
        <Order>4</Order>
        <RequiresUserInput>false</RequiresUserInput>
    </SynchronousCommand>
</FirstLogonCommands>

You will need to change domain.wan\todomainuser to yours.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • That sounds great , but I do need an domain user account that has permission to join computer to ad domain of right ? Because I’m trying to „generic“ domain join so the pc is joined but somebody who gets this pc later on can add its own account – xmepl May 31 '23 at 20:47
  • What I’m trying to achive is a domain join based on the existence of the pc name in the AD – xmepl May 31 '23 at 21:17
  • This script is just a framework that shows how this is done. You may modify it as you need - information is readily available. You might, for example, want to replace the `Read-Host` call by the [computer name](https://linuxhint.com/use-powershell-to-get-computer-name/). – harrymc Jun 01 '23 at 08:06
  • Thank you, but what i was wondering if i still need the -cred option as i want to avoid it. How would a command look that adds a PC to a domain using only the computer machine name? – xmepl Jun 01 '23 at 09:33
  • Without `-Cred` the default is the current user, which needs to have the permission to join the computer to a new domain. – harrymc Jun 01 '23 at 13:37