In this article I show you an example of the script create a computer in the Active Directory and delegating the permissions to add a domain for support team. This script uses the module "Quest ActiveRoles Management Shell for Active Directory". This current module can be downloaded from Dell or old this link(x64)
Please note that the name of the computer a simple and with SamAccountName the symbol "$". This is important, since it is possible to obtain unexpected errors when adding a computer to a domain which is not obvious solution :) eg:
"The computer cannot be joined to the domain because there is not enough disk space"
"You have exceeded the maximum number of computer accounts you are allowed to create in this domain"
"Duplicate computer account in Active Directory"
Please note that the name of the computer a simple and with SamAccountName the symbol "$". This is important, since it is possible to obtain unexpected errors when adding a computer to a domain which is not obvious solution :) eg:
"The computer cannot be joined to the domain because there is not enough disk space"
"You have exceeded the maximum number of computer accounts you are allowed to create in this domain"
"Duplicate computer account in Active Directory"
Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
$pc_name = "PC001"
$OU = "blogspot.com/workstations"
$add_domain_gr = Get-qadgroup "blogspot\suppot_team1" -service dc1.blogspot.com
$pc_name2 = $pc_name + "$"
new-QADComputer -name $pc_name -SamAccountName $pc_name2 -ParentContainer $OU
Start-Sleep -s 30
Get-QADComputer -name $pc_name | Add-QADPermission -Account $add_domain_gr -Extendedright 'User-Force-Change-Password' -ApplyTo ThisObjectOnly
Get-QADComputer -name $pc_name | Add-QADPermission -Account $add_domain_gr -Rights 'ReadProperty, WriteProperty' -PropertySet 'User-Account-Restrictions' -ApplyTo ThisObjectOnly
Get-QADComputer -name $pc_name | Add-QADPermission -Account $add_domain_gr -Rights Self -ValidatedWrite 'Validated-DNS-Host-Name' -ApplyTo ThisObjectOnly
Get-QADComputer -name $pc_name | Add-QADPermission -Account $add_domain_gr -Rights Self -ValidatedWrite 'Validated-SPN' -ApplyTo ThisObjectOnly
Get-QADComputer -name $pc_name | Add-QADPermission -Account $add_domain_gr -Rights 'ReadProperty, WriteProperty' -Property 'SAMAccountName' -ApplyTo ThisObjectOnly
Get-QADComputer -name $pc_name | Add-QADPermission -Account $add_domain_gr -Rights 'ReadProperty, WriteProperty' -Property 'DisplayName' -ApplyTo ThisObjectOnly
Get-QADComputer -name $pc_name | Add-QADPermission -Account $add_domain_gr -Rights 'ReadProperty, WriteProperty' -Property 'Description' -ApplyTo ThisObjectOnly
Get-QADComputer -name $pc_name | Add-QADPermission -Account $add_domain_gr -Rights 'ReadProperty, WriteProperty' -PropertySet 'User-Logon' -ApplyTo ThisObjectOnly
Get-QADComputer -name $pc_name | Add-QADPermission -Account $add_domain_gr -Rights 'DeleteTree, ExtendedRight, Delete, GenericRead' -ApplyTo ThisObjectOnly
No comments:
Post a Comment