I've got three users.
User A: Domain Admin in Domain A
User B: Domain Admin in Domain B
User C: Local Admin on computer that is being migrated (this user creates the
elevated session)
I do the following:
$script:session = New-PSSession -Credential $credUserC -ComputerName localhost
Invoke-Command -Session $session -ScriptBlock { Add-Computer -ComputerName
localhost -Credential $args[0] -DomainName $args[1] -UnjoinDomainCredential
$args[2] } -ArgumentList $credUserB, $DomainName, $credUserA
This doesn't work.
Strange issue.
From: Daniel Ratliff
Reply-To: <[email protected]>
Date: Tuesday, 14 April 2015 8:16 pm
To: "'[email protected]'", "'[email protected]'"
Subject: RE: [mssms] Domain join via Add-Computer or WMI
Didn't read through all the logs, but is user a DA in domain a? Once you
disjoin domain a, wouldn't they lose all admin? You need a local account to
join domain b?
-----Original Message-----
From: David O'Brien [[email protected]]
Sent: Tuesday, April 14, 2015 04:01 AM Eastern Standard Time
To: [email protected]
Subject: [mssms] Domain join via Add-Computer or WMI
Hi,
Slightly OT, but maybe someone has seen this before.
I have to "migrate" a computer from Domain A to Domain B, trigger for that is a
User logging in, so we are executing this from a Logon script.
The issue I'm seeing is that in my tests now the unjoin from Domain A works
fine (which implies that all local permissions are ok and elevation of the
script works, logged on user does not have permissions in this case, hence we
need elevation), but the join fails with this.
PSFTW\adobrien is the user used for elevation and is now a member of Domain
Admins and Local Admins.
Seen this before? Why is it mentioning "Offline Domain Join"? Why did it fail
to load the registry hive?
Thanks,
David
04/14/2015 17:40:31:908 NetpDoDomainJoin
04/14/2015 17:40:31:908 NetpMachineValidToJoin: 'WIN7002'
04/14/2015 17:40:31:908 OS Version: 6.1
04/14/2015 17:40:31:908 Build number: 7601 (7601.win7sp1_ldr.130828-1532)
04/14/2015 17:40:31:908 ServicePack: Service Pack 1
04/14/2015 17:40:31:908 SKU: Windows 7 Enterprise
04/14/2015 17:40:31:908 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status:
0x0
04/14/2015 17:40:31:908 NetpGetLsaPrimaryDomain: status: 0x0
04/14/2015 17:40:31:908 NetpMachineValidToJoin: status: 0x0
04/14/2015 17:40:31:908 NetpJoinDomain
04/14/2015 17:40:31:908 Machine: WIN7002
04/14/2015 17:40:31:908 Domain: psftw.local
04/14/2015 17:40:31:908 MachineAccountOU: (NULL)
04/14/2015 17:40:31:908 Account: psftw\adobrien
04/14/2015 17:40:31:908 Options: 0x17
04/14/2015 17:40:31:908 NetpLoadParameters: loading registry parameters...
04/14/2015 17:40:31:908 NetpLoadParameters: DNSNameResolutionRequired not
found, defaulting to '1' 0x2
04/14/2015 17:40:31:908 NetpLoadParameters: DomainCompatibilityMode not found,
defaulting to '0' 0x2
04/14/2015 17:40:31:908 NetpLoadParameters: status: 0x2
04/14/2015 17:40:31:908 NetpValidateName: checking to see if 'psftw.local' is
valid as type 3 name
04/14/2015 17:40:32:033 NetpCheckDomainNameIsValid [ Exists ] for 'psftw.local'
returned 0x0
04/14/2015 17:40:32:033 NetpValidateName: name 'psftw.local' is valid for type 3
04/14/2015 17:40:32:033 NetpDsGetDcName: trying to find DC in domain
'psftw.local', flags: 0x40001010
04/14/2015 17:40:32:143 NetpLoadParameters: loading registry parameters...
04/14/2015 17:40:32:143 NetpLoadParameters: DNSNameResolutionRequired not
found, defaulting to '1' 0x2
04/14/2015 17:40:32:143 NetpLoadParameters: DomainCompatibilityMode not found,
defaulting to '0' 0x2
04/14/2015 17:40:32:143 NetpLoadParameters: status: 0x2
04/14/2015 17:40:32:143 NetpDsGetDcName: status of verifying DNS A record name
resolution for 'adds.psftw.local': 0x0
04/14/2015 17:40:32:143 NetpDsGetDcName: found DC '\\adds.psftw.local' in the
specified domain
04/14/2015 17:40:32:143 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
04/14/2015 17:40:32:205 NetpJoinDomain: status of connecting to dc
'\\adds.psftw.local': 0x0
04/14/2015 17:40:32:205 NetpProvisionComputerAccount:
04/14/2015 17:40:32:205 lpDomain: psftw.local
04/14/2015 17:40:32:205 lpMachineName: WIN7002
04/14/2015 17:40:32:205 lpMachineAccountOU: (NULL)
04/14/2015 17:40:32:205 lpDcName: adds.psftw.local
04/14/2015 17:40:32:205 lpDnsHostName: (NULL)
04/14/2015 17:40:32:205 lpMachinePassword: (null)
04/14/2015 17:40:32:205 lpAccount: psftw\adobrien
04/14/2015 17:40:32:205 lpPassword: (non-null)
04/14/2015 17:40:32:205 dwJoinOptions: 0x17
04/14/2015 17:40:32:205 dwOptions: 0x40000003
04/14/2015 17:40:32:252 NetpLdapBind: Verified minimum encryption strength on
adds.psftw.local: 0x0
04/14/2015 17:40:32:252 NetpLdapGetLsaPrimaryDomain: reading domain data
04/14/2015 17:40:32:252 NetpGetNCData: Reading NC data
04/14/2015 17:40:32:252 NetpGetDomainData: Lookup domain data for:
DC=psftw,DC=local
04/14/2015 17:40:32:252 NetpGetDomainData: Lookup crossref data for:
CN=Partitions,CN=Configuration,DC=psftw,DC=local
04/14/2015 17:40:32:252 NetpLdapGetLsaPrimaryDomain: result of retrieving
domain data: 0x0
04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Cracking DNS domain name
psftw.local/ into Netbios on \\adds.psftw.local
04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Crack results: name = PSFTW\
04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Cracking account name
PSFTW\WIN7002$ on \\adds.psftw.local
04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Crack results: (Account
already exists) DN = CN=WIN7002,OU=Servers,DC=psftw,DC=local
04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Initial attribute values:
04/14/2015 17:40:32:283 objectClass = Computer
04/14/2015 17:40:32:283 SamAccountName = WIN7002$
04/14/2015 17:40:32:283 userAccountControl = 0x1000
04/14/2015 17:40:32:283 DnsHostName = WIN7002.psftw.local
04/14/2015 17:40:32:283 ServicePrincipalName = HOST/WIN7002.psftw.local
RestrictedKrbHost/WIN7002.psftw.local HOST/WIN7002 RestrictedKrbHost/WIN7002
04/14/2015 17:40:32:283 unicodePwd = <SomePassword>
04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Computer Object already
exists in OU:
04/14/2015 17:40:32:283 objectClass = top person organizationalPerson user
computer
04/14/2015 17:40:32:283 SamAccountName = WIN7002$
04/14/2015 17:40:32:283 userAccountControl = 0x1000
04/14/2015 17:40:32:283 DnsHostName = WIN7002.psftw.local
04/14/2015 17:40:32:283 ServicePrincipalName = WSMAN/WIN7002
WSMAN/WIN7002.psftw.local RestrictedKrbHost/WIN7002 HOST/WIN7002
RestrictedKrbHost/WIN7002.psftw.local HOST/WIN7002.psftw.local
04/14/2015 17:40:32:283 unicodePwd = Account exists, resetting password:
<SomePassword>
04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Attribute values to set:
04/14/2015 17:40:32:283 unicodePwd = <SomePassword>
04/14/2015 17:40:32:424 NetpModifyComputerObjectInDs: Toggled
UserAccountControl successfully
04/14/2015 17:40:32:424 NetpEncodeProvisioningBlob: Encoding provisioning data
04/14/2015 17:40:32:424 NetpInitBlobWin7: Constructing blob...
04/14/2015 17:40:32:424 Blob version: 1
04/14/2015 17:40:32:424 lpDomain: psftw.local
04/14/2015 17:40:32:424 lpMachineName: WIN7002
04/14/2015 17:40:32:424 lpMachinePassword: <omitted from log>
04/14/2015 17:40:32:424 DomainDnsPolicy:
04/14/2015 17:40:32:424 Name: PSFTW
04/14/2015 17:40:32:424 DnsDomainName: psftw.local
04/14/2015 17:40:32:424 DnsForestName: psftw.local
04/14/2015 17:40:32:424 DomainGuid: 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88
04/14/2015 17:40:32:424 Sid: S-1-5-21-1080266623-2751979810-671634313
04/14/2015 17:40:32:424 DcInfo:
04/14/2015 17:40:32:424 DomainControllerName: \\adds.psftw.local
04/14/2015 17:40:32:424 DomainControllerAddress: \\192.168.1.9
04/14/2015 17:40:32:424 DomainControllerAddressType: 1
04/14/2015 17:40:32:424 DomainGuid: 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88
04/14/2015 17:40:32:424 DomainName: psftw.local
04/14/2015 17:40:32:424 DnsForestName: psftw.local
04/14/2015 17:40:32:424 Flags: 0xe000f3fd
04/14/2015 17:40:32:424 DcSiteName: Default-First-Site-Name
04/14/2015 17:40:32:424 ClientSiteName: Default-First-Site-Name
04/14/2015 17:40:32:424 Options: 0x40000003
04/14/2015 17:40:32:424 NetpInitBlobWin7: Blob pickling result: 0
04/14/2015 17:40:32:424 NetpEncodeProvisioningBlob: result: 0x0
04/14/2015 17:40:32:424 ldap_unbind status: 0x0
04/14/2015 17:40:32:440 NetpRequestOfflineDomainJoin:
04/14/2015 17:40:32:440 dwProvisionBinDataSize: 912
04/14/2015 17:40:32:440 JoinOptions: 0x17
04/14/2015 17:40:32:440 Options: 0x40000003
04/14/2015 17:40:32:440 lpWindowsPath: C:\WINDOWS
04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Unpickling provisioning
blob with size 912 bytes
04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Searching 1 blobs for
supported ODJ blob, highest supported version: 1
04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Found ODJ blob version: 1
04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Selected ODJ blob version: 1
04/14/2015 17:40:32:440 Blob version: 1
04/14/2015 17:40:32:440 lpDomain: psftw.local
04/14/2015 17:40:32:440 lpMachineName: WIN7002
04/14/2015 17:40:32:440 lpMachinePassword: <omitted from log>
04/14/2015 17:40:32:440 DomainDnsPolicy:
04/14/2015 17:40:32:440 Name: PSFTW
04/14/2015 17:40:32:440 DnsDomainName: psftw.local
04/14/2015 17:40:32:440 DnsForestName: psftw.local
04/14/2015 17:40:32:440 DomainGuid: 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88
04/14/2015 17:40:32:440 Sid: S-1-5-21-1080266623-2751979810-671634313
04/14/2015 17:40:32:440 DcInfo:
04/14/2015 17:40:32:440 DomainControllerName: \\adds.psftw.local
04/14/2015 17:40:32:440 DomainControllerAddress: \\192.168.1.9
04/14/2015 17:40:32:440 DomainControllerAddressType: 1
04/14/2015 17:40:32:440 DomainGuid: 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88
04/14/2015 17:40:32:440 DomainName: psftw.local
04/14/2015 17:40:32:440 DnsForestName: psftw.local
04/14/2015 17:40:32:440 Flags: 0xe000f3fd
04/14/2015 17:40:32:440 DcSiteName: Default-First-Site-Name
04/14/2015 17:40:32:440 ClientSiteName: Default-First-Site-Name
04/14/2015 17:40:32:440 Options: 0x40000003
04/14/2015 17:40:32:440 NetpDoInitiateOfflineDomainJoin
04/14/2015 17:40:32:440 NetpDoInitiateOfflineDomainJoin: Setting backup/restore
privileges
04/14/2015 17:40:32:440 NetpInitiateOfflineJoin
04/14/2015 17:40:32:440 lpLocalRegistryPath: C:\WINDOWS\system32\config\SYSTEM
04/14/2015 17:40:32:440 dwOptions: 0x40000003
04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: Translating provisioning
data to internal format
04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: Selecting version 1
04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: exiting: 0x0
04/14/2015 17:40:32:440 NetpInitiateOfflineJoin: RegLoadKeyW failed to load the
hive C:\WINDOWS\system32\config\SYSTEM: 0x522
04/14/2015 17:40:32:440 NetpClearFullJoinState: Removing cached state from the
registry...
04/14/2015 17:40:32:440 NetpClearFullJoinState: Status of deleting join state
key 0x6
04/14/2015 17:40:32:455 NetpDoInitiateOfflineDomainJoin: status: 0xa9d
04/14/2015 17:40:32:455 NetRequestOfflineDomainJoin: Failed to initiate the
offline domain join 0xa9d
04/14/2015 17:40:32:455 NetpJoinDomainOnDs: Function exits with status of: 0xa9d
04/14/2015 17:40:32:455 NetpJoinDomainOnDs: status of disconnecting from
'\\adds.psftw.local': 0x0
04/14/2015 17:40:32:455 NetpDoDomainJoin: status: 0xa9d
The information transmitted is intended only for the person or entity to which
it is addressed
and may contain CONFIDENTIAL material. If you receive this
material/information in error,
please contact the sender and delete or destroy the material/information.
