Joining the Domain with a Script
​
Joining clients to a Windows Domain can be accomplished more securely with the following as it obfuscates the normally clear text password within the script. However this is not a secure method, it just hides the password in a couple of bin files and can be reverse-engineered.
​
This script works in 2 stages, the first creates the bin files from the password for the Domain join account. In this example, I'll use the complex and secure 'Password1111' ;)
​
<#
.Synopsis
Create obfuscated password bin files.
​
.Description
​
.Version
#>
#Dont save script with password, type it, run the script and close without saving.
$password = "Password1111"
#Convert to a secure string
$asSecure = $password | ConvertTo-SecureString -AsPlainText -Force
​
#Create new object, maxium bytes = 32
$key = New-Object byte[](32)
$rng =[System.Security.Cryptography.RNGCryptoServiceProvider]::Create()
$rng.GetBytes($key)
$encrypt = ConvertFrom-SecureString -SecureString $asSecure -Key $key
​
#Out puts the password in the form of 2 .bin files. Keep these secure
$key | out-file "C:\SecureFolder\input.bin"
$encrypt | Out-File "C:\SecureFolder\output.bin"
​
Ensure the MDT Deployment Share's (%deployRoot%) share permissions are set correctly. Everyone and Authenticated Users should not be used, the MDT service account (svc_mdtuser) requires Read Share and NTFS permissions to %deployRoot%​.
​
Under the MDT Deployment Share, open the 'Scripts' folder create a folder named 'Custom' and lastly create a folder 'DomainAdd'.
​
Copy the 2 bin files to the 'DomainAdd' folder.
​
Copy the following PowerShell script to the 'DomainAdd' folder as well, name "DomainAdd.ps1"
​
<#
.Synopsis
Obfuscate password used to add computer to MDT
​
.Description
​​
.Version
#>
#Split-Path, defines the current folder the script is executing from
$path = $MyInvocation.MyCommand.path
$scriptName = "SecurePassword.ps1"
$folder = $path.trim($scriptName)
​
#Get the content of the input.bin
$key = Get-Content $folder\input.bin
​
#Get the content of the output.bin
$encrypt = Get-Content $folder\output.bin
​
#Reverse the bin files.
$inputSecure = $encrypt | ConvertTo-SecureString -key $key
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($inputSecure)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
​
#Get hostname of client
$hn = hostname
#Name of Service Account with delegated rights to add workstations to an OU in the Domain
$username ="svc_wks_join"
​
#Domain Name and OU path
$DomainN = "Domain.Local"
$ouPath = "OU=workstations,DC=Domain,DC=Local"
#Secure string for password
$domPassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
#Creates username and password credentials
$credential = New-Object System.Management.Automation.PSCredential ($username,$domPassword)
​
#Add computer to domain
Add-Computer -ComputerName $hn -DomainName $DomainN -OUPath $ouPath -Credential $credential -ErrorAction SilentlyContinue
​
Create a PowerShell Script Task Sequence step and insert before the last reboot step in the Task Sequence.
​
Add the following string to reference the script location via the %scriptRoot% variable:
​
"%scriptroot%\Custom\DomainAdd\DomainAdd.ps1"
​
Any GPO that renames the administrator or adds a Welcome Messages will cause the MDT sequence to fail during reboots.
For full instructions on how to deploy from MDT (click here)