top of page

Joining the Domain with a Script

Joining clients to a Windows Domain can be accomplished more securely with the following as it obfuscates the normally clear text password within the script. However this is not a secure method, it just hides the password in a couple of bin files and can be reverse-engineered.

This script works in 2 stages, the first creates the bin files from the password for the Domain join account. In this example, I'll use the complex and secure 'Password1111' ;)


Create obfuscated password bin files.




#Dont save script with password, type it, run the script and close without saving. 
$password = "Password1111"


#Convert to a secure string
$asSecure = $password | ConvertTo-SecureString -AsPlainText -Force

#Create new object, maxium bytes = 32

$key = New-Object byte[](32)

$rng =[System.Security.Cryptography.RNGCryptoServiceProvider]::Create()

$encrypt = ConvertFrom-SecureString -SecureString $asSecure -Key $key

#Out puts the password in the form of 2 .bin files. Keep these secure

$key | out-file "C:\SecureFolder\input.bin"
$encrypt | Out-File "C:\SecureFolder\output.bin"

Ensure the MDT Deployment Share's (%deployRoot%) share permissions are set correctly. Everyone and Authenticated Users should not be used, the MDT service account (svc_mdtuser) requires Read Share and NTFS permissions to %deployRoot%​. 

Under the MDT Deployment Share, open the 'Scripts' folder create a folder named 'Custom' and lastly create a folder  'DomainAdd'. 

Copy the 2 bin files to the 'DomainAdd' folder.

Copy the following PowerShell script to the 'DomainAdd' folder as well, name "DomainAdd.ps1"


Obfuscate password used to add computer to MDT




#Split-Path, defines the current folder the script is executing from

$path = $MyInvocation.MyCommand.path
$scriptName = "SecurePassword.ps1"

$folder = $path.trim($scriptName)

 #Get the content of the input.bin
$key = Get-Content $folder\input.bin

#Get the content of the output.bin
$encrypt = Get-Content $folder\output.bin

#Reverse the bin files.

$inputSecure = $encrypt | ConvertTo-SecureString -key $key
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($inputSecure)

$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

#Get hostname of client

$hn = hostname


#Name of Service Account with delegated rights to add workstations to an OU in the Domain
$username ="svc_wks_join"

#Domain Name and OU path
$DomainN = "Domain.Local"
$ouPath = "OU=workstations,DC=Domain,DC=Local"


#Secure string for password
$domPassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force


#Creates username and password credentials
$credential = New-Object System.Management.Automation.PSCredential ($username,$domPassword)

#Add computer to domain 

Add-Computer -ComputerName $hn -DomainName $DomainN -OUPath $ouPath -Credential $credential -ErrorAction SilentlyContinue

Create a PowerShell Script Task Sequence step and insert before the last reboot step in the Task Sequence.

Add the following string to reference the script location via the %scriptRoot% variable:


Any GPO that renames the administrator or adds a Welcome Messages will cause the MDT sequence to fail during reboots.

For full instructions on how to deploy from MDT (click here)

bottom of page