Joining the Domain with a Script
Joining clients to a Windows Domain can be accomplished more securely with the following as it obfuscates the normally clear text password within the script. However this is not a secure method, it just hides the password in a couple of bin files and can be reverse-engineered.
This script works in 2 stages, the first creates the bin files from the password for the Domain join account. In this example, I'll use the complex and secure 'Password1111' ;)
<#
.Synopsis
Create obfuscated password bin files.
.Description
.Version
#>
#Dont save script with password, type it, run the script and close without saving.
$password = "Password1111"
#Convert to a secure string
$asSecure = $password | ConvertTo-SecureString -AsPlainText -Force
#Create new object, maxium bytes = 32
$key = New-Object byte[](32)
$rng =[System.Security.Cryptography.RNGCryptoServiceProvider]::Create()
$rng.GetBytes($key)
$encrypt = ConvertFrom-SecureString -SecureString $asSecure -Key $key
#Out puts the password in the form of 2 .bin files. Keep these secure
$key | out-file "C:\SecureFolder\input.bin"
$encrypt | Out-File "C:\SecureFolder\output.bin"
Ensure the MDT Deployment Share's (%deployRoot%) share permissions are set correctly. Everyone and Authenticated Users should not be used, the MDT service account (svc_mdtuser) requires Read Share and NTFS permissions to %deployRoot%.
Under the MDT Deployment Share, open the 'Scripts' folder create a folder named 'Custom' and lastly create a folder 'DomainAdd'.
Copy the 2 bin files to the 'DomainAdd' folder.
Copy the following PowerShell script to the 'DomainAdd' folder as well, name "DomainAdd.ps1"
<#
.Synopsis
Obfuscate password used to add computer to MDT
.Description
.Version
#>
#Split-Path, defines the current folder the script is executing from
$path = $MyInvocation.MyCommand.path
$scriptName = "SecurePassword.ps1"
$folder = $path.trim($scriptName)
#Get the content of the input.bin
$key = Get-Content $folder\input.bin
#Get the content of the output.bin
$encrypt = Get-Content $folder\output.bin
#Reverse the bin files.
$inputSecure = $encrypt | ConvertTo-SecureString -key $key
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($inputSecure)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
#Get hostname of client
$hn = hostname
#Name of Service Account with delegated rights to add workstations to an OU in the Domain
$username ="svc_wks_join"
#Domain Name and OU path
$DomainN = "Domain.Local"
$ouPath = "OU=workstations,DC=Domain,DC=Local"
#Secure string for password
$domPassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
#Creates username and password credentials
$credential = New-Object System.Management.Automation.PSCredential ($username,$domPassword)
#Add computer to domain
Add-Computer -ComputerName $hn -DomainName $DomainN -OUPath $ouPath -Credential $credential -ErrorAction SilentlyContinue
Create a PowerShell Script Task Sequence step and insert before the last reboot step in the Task Sequence.
Add the following string to reference the script location via the %scriptRoot% variable:
"%scriptroot%\Custom\DomainAdd\DomainAdd.ps1"
Any GPO that renames the administrator or adds a Welcome Messages will cause the MDT sequence to fail during reboots.
For full instructions on how to deploy from MDT (click here)