I am not doing offline domain join,I reckon that is just what the log says.
And I am using an account that is a machine local account (User C). Sent from my Windows Phone ________________________________ From: elsalvoz<mailto:[email protected]> Sent: 14/04/2015 9:35 PM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] Domain join via Add-Computer or WMI What Daniel is referring to local to the system, once a system disjoint a domain, domain accounts do not have local permission. You need to use system local administration or an account with local administration privilege during the rejoin. This is the process to manually rejoin a system to a domain but I have never done offline join before. Cesar A On Apr 14, 2015 3:51 AM, "David O'Brien" <[email protected]> wrote: > I've got three users. > > User A: Domain Admin in Domain A > User B: Domain Admin in Domain B > User C: Local Admin on computer that is being migrated (this user creates > the elevated session) > > I do the following: > > $script:session = New-PSSession -Credential $credUserC -ComputerName > localhost > Invoke-Command -Session $session -ScriptBlock { Add-Computer -ComputerName > localhost -Credential $args[0] -DomainName $args[1] -UnjoinDomainCredential > $args[2] } -ArgumentList $credUserB, $DomainName, $credUserA > > This doesn't work. > > Strange issue. > > From: Daniel Ratliff > Reply-To: <[email protected]> > Date: Tuesday, 14 April 2015 8:16 pm > To: "'[email protected]'", "'[email protected]'" > Subject: RE: [mssms] Domain join via Add-Computer or WMI > > Didn't read through all the logs, but is user a DA in domain a? Once you > disjoin domain a, wouldn't they lose all admin? You need a local account to > join domain b? > > -----Original Message----- > *From: *David O'Brien [[email protected]] > *Sent: *Tuesday, April 14, 2015 04:01 AM Eastern Standard Time > *To: *[email protected] > *Subject: *[mssms] Domain join via Add-Computer or WMI > > Hi, > > Slightly OT, but maybe someone has seen this before. > > I have to "migrate" a computer from Domain A to Domain B, trigger for that > is a User logging in, so we are executing this from a Logon script. > The issue I'm seeing is that in my tests now the unjoin from Domain A > works fine (which implies that all local permissions are ok and elevation > of the script works, logged on user does not have permissions in this case, > hence we need elevation), but the join fails with this. > PSFTW\adobrien is the user used for elevation and is now a member of > Domain Admins and Local Admins. > > Seen this before? Why is it mentioning "Offline Domain Join"? Why did it > fail to load the registry hive? > > Thanks, > David > > 04/14/2015 17:40:31:908 NetpDoDomainJoin > 04/14/2015 17:40:31:908 NetpMachineValidToJoin: 'WIN7002' > 04/14/2015 17:40:31:908 OS Version: 6.1 > 04/14/2015 17:40:31:908 Build number: 7601 (7601.win7sp1_ldr.130828-1532) > 04/14/2015 17:40:31:908 ServicePack: Service Pack 1 > 04/14/2015 17:40:31:908 SKU: Windows 7 Enterprise > 04/14/2015 17:40:31:908 NetpDomainJoinLicensingCheck: ulLicenseValue=1, > Status: 0x0 > 04/14/2015 17:40:31:908 NetpGetLsaPrimaryDomain: status: 0x0 > 04/14/2015 17:40:31:908 NetpMachineValidToJoin: status: 0x0 > 04/14/2015 17:40:31:908 NetpJoinDomain > 04/14/2015 17:40:31:908 Machine: WIN7002 > 04/14/2015 17:40:31:908 Domain: psftw.local > 04/14/2015 17:40:31:908 MachineAccountOU: (NULL) > 04/14/2015 17:40:31:908 Account: psftw\adobrien > 04/14/2015 17:40:31:908 Options: 0x17 > 04/14/2015 17:40:31:908 NetpLoadParameters: loading registry parameters... > 04/14/2015 17:40:31:908 NetpLoadParameters: DNSNameResolutionRequired not > found, defaulting to '1' 0x2 > 04/14/2015 17:40:31:908 NetpLoadParameters: DomainCompatibilityMode not > found, defaulting to '0' 0x2 > 04/14/2015 17:40:31:908 NetpLoadParameters: status: 0x2 > 04/14/2015 17:40:31:908 NetpValidateName: checking to see if 'psftw.local' > is valid as type 3 name > 04/14/2015 17:40:32:033 NetpCheckDomainNameIsValid [ Exists ] for > 'psftw.local' returned 0x0 > 04/14/2015 17:40:32:033 NetpValidateName: name 'psftw.local' is valid for > type 3 > 04/14/2015 17:40:32:033 NetpDsGetDcName: trying to find DC in domain > 'psftw.local', flags: 0x40001010 > 04/14/2015 17:40:32:143 NetpLoadParameters: loading registry parameters... > 04/14/2015 17:40:32:143 NetpLoadParameters: DNSNameResolutionRequired not > found, defaulting to '1' 0x2 > 04/14/2015 17:40:32:143 NetpLoadParameters: DomainCompatibilityMode not > found, defaulting to '0' 0x2 > 04/14/2015 17:40:32:143 NetpLoadParameters: status: 0x2 > 04/14/2015 17:40:32:143 NetpDsGetDcName: status of verifying DNS A record > name resolution for 'adds.psftw.local': 0x0 > 04/14/2015 17:40:32:143 NetpDsGetDcName: found DC '\\adds.psftw.local' in > the specified domain > 04/14/2015 17:40:32:143 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0 > 04/14/2015 17:40:32:205 NetpJoinDomain: status of connecting to dc > '\\adds.psftw.local': 0x0 > 04/14/2015 17:40:32:205 NetpProvisionComputerAccount: > 04/14/2015 17:40:32:205 lpDomain: psftw.local > 04/14/2015 17:40:32:205 lpMachineName: WIN7002 > 04/14/2015 17:40:32:205 lpMachineAccountOU: (NULL) > 04/14/2015 17:40:32:205 lpDcName: adds.psftw.local > 04/14/2015 17:40:32:205 lpDnsHostName: (NULL) > 04/14/2015 17:40:32:205 lpMachinePassword: (null) > 04/14/2015 17:40:32:205 lpAccount: psftw\adobrien > 04/14/2015 17:40:32:205 lpPassword: (non-null) > 04/14/2015 17:40:32:205 dwJoinOptions: 0x17 > 04/14/2015 17:40:32:205 dwOptions: 0x40000003 > 04/14/2015 17:40:32:252 NetpLdapBind: Verified minimum encryption strength > on adds.psftw.local: 0x0 > 04/14/2015 17:40:32:252 NetpLdapGetLsaPrimaryDomain: reading domain data > 04/14/2015 17:40:32:252 NetpGetNCData: Reading NC data > 04/14/2015 17:40:32:252 NetpGetDomainData: Lookup domain data for: > DC=psftw,DC=local > 04/14/2015 17:40:32:252 NetpGetDomainData: Lookup crossref data for: > CN=Partitions,CN=Configuration,DC=psftw,DC=local > 04/14/2015 17:40:32:252 NetpLdapGetLsaPrimaryDomain: result of retrieving > domain data: 0x0 > 04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Cracking DNS domain name > psftw.local/ into Netbios on \\adds.psftw.local > 04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Crack results: name = > PSFTW\ > 04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Cracking account name > PSFTW\WIN7002$ on \\adds.psftw.local > 04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Crack results: (Account > already exists) DN = CN=WIN7002,OU=Servers,DC=psftw,DC=local > 04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Initial attribute > values: > 04/14/2015 17:40:32:283 objectClass = Computer > 04/14/2015 17:40:32:283 SamAccountName = WIN7002$ > 04/14/2015 17:40:32:283 userAccountControl = 0x1000 > 04/14/2015 17:40:32:283 DnsHostName = WIN7002.psftw.local > 04/14/2015 17:40:32:283 ServicePrincipalName = HOST/WIN7002.psftw.local > RestrictedKrbHost/WIN7002.psftw.local HOST/WIN7002 > RestrictedKrbHost/WIN7002 > 04/14/2015 17:40:32:283 unicodePwd = <SomePassword> > 04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Computer Object > already exists in OU: > 04/14/2015 17:40:32:283 objectClass = top person organizationalPerson > user computer > 04/14/2015 17:40:32:283 SamAccountName = WIN7002$ > 04/14/2015 17:40:32:283 userAccountControl = 0x1000 > 04/14/2015 17:40:32:283 DnsHostName = WIN7002.psftw.local > 04/14/2015 17:40:32:283 ServicePrincipalName = WSMAN/WIN7002 > WSMAN/WIN7002.psftw.local RestrictedKrbHost/WIN7002 HOST/WIN7002 > RestrictedKrbHost/WIN7002.psftw.local HOST/WIN7002.psftw.local > 04/14/2015 17:40:32:283 unicodePwd = Account exists, resetting password: > <SomePassword> > 04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Attribute values to > set: > 04/14/2015 17:40:32:283 unicodePwd = <SomePassword> > 04/14/2015 17:40:32:424 NetpModifyComputerObjectInDs: Toggled > UserAccountControl successfully > 04/14/2015 17:40:32:424 NetpEncodeProvisioningBlob: Encoding provisioning > data > 04/14/2015 17:40:32:424 NetpInitBlobWin7: Constructing blob... > 04/14/2015 17:40:32:424 Blob version: 1 > 04/14/2015 17:40:32:424 lpDomain: psftw.local > 04/14/2015 17:40:32:424 lpMachineName: WIN7002 > 04/14/2015 17:40:32:424 lpMachinePassword: <omitted from log> > 04/14/2015 17:40:32:424 DomainDnsPolicy: > 04/14/2015 17:40:32:424 Name: PSFTW > 04/14/2015 17:40:32:424 DnsDomainName: psftw.local > 04/14/2015 17:40:32:424 DnsForestName: psftw.local > 04/14/2015 17:40:32:424 DomainGuid: > 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88 > 04/14/2015 17:40:32:424 Sid: S-1-5-21-1080266623-2751979810-671634313 > 04/14/2015 17:40:32:424 DcInfo: > 04/14/2015 17:40:32:424 DomainControllerName: \\adds.psftw.local > 04/14/2015 17:40:32:424 DomainControllerAddress: \\192.168.1.9 > 04/14/2015 17:40:32:424 DomainControllerAddressType: 1 > 04/14/2015 17:40:32:424 DomainGuid: > 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88 > 04/14/2015 17:40:32:424 DomainName: psftw.local > 04/14/2015 17:40:32:424 DnsForestName: psftw.local > 04/14/2015 17:40:32:424 Flags: 0xe000f3fd > 04/14/2015 17:40:32:424 DcSiteName: Default-First-Site-Name > 04/14/2015 17:40:32:424 ClientSiteName: Default-First-Site-Name > 04/14/2015 17:40:32:424 Options: 0x40000003 > 04/14/2015 17:40:32:424 NetpInitBlobWin7: Blob pickling result: 0 > 04/14/2015 17:40:32:424 NetpEncodeProvisioningBlob: result: 0x0 > 04/14/2015 17:40:32:424 ldap_unbind status: 0x0 > 04/14/2015 17:40:32:440 NetpRequestOfflineDomainJoin: > 04/14/2015 17:40:32:440 dwProvisionBinDataSize: 912 > 04/14/2015 17:40:32:440 JoinOptions: 0x17 > 04/14/2015 17:40:32:440 Options: 0x40000003 > 04/14/2015 17:40:32:440 lpWindowsPath: C:\WINDOWS > 04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Unpickling > provisioning blob with size 912 bytes > 04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Searching 1 blobs for > supported ODJ blob, highest supported version: 1 > 04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Found ODJ blob > version: 1 > 04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Selected ODJ blob > version: 1 > 04/14/2015 17:40:32:440 Blob version: 1 > 04/14/2015 17:40:32:440 lpDomain: psftw.local > 04/14/2015 17:40:32:440 lpMachineName: WIN7002 > 04/14/2015 17:40:32:440 lpMachinePassword: <omitted from log> > 04/14/2015 17:40:32:440 DomainDnsPolicy: > 04/14/2015 17:40:32:440 Name: PSFTW > 04/14/2015 17:40:32:440 DnsDomainName: psftw.local > 04/14/2015 17:40:32:440 DnsForestName: psftw.local > 04/14/2015 17:40:32:440 DomainGuid: > 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88 > 04/14/2015 17:40:32:440 Sid: S-1-5-21-1080266623-2751979810-671634313 > 04/14/2015 17:40:32:440 DcInfo: > 04/14/2015 17:40:32:440 DomainControllerName: \\adds.psftw.local > 04/14/2015 17:40:32:440 DomainControllerAddress: \\192.168.1.9 > 04/14/2015 17:40:32:440 DomainControllerAddressType: 1 > 04/14/2015 17:40:32:440 DomainGuid: > 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88 > 04/14/2015 17:40:32:440 DomainName: psftw.local > 04/14/2015 17:40:32:440 DnsForestName: psftw.local > 04/14/2015 17:40:32:440 Flags: 0xe000f3fd > 04/14/2015 17:40:32:440 DcSiteName: Default-First-Site-Name > 04/14/2015 17:40:32:440 ClientSiteName: Default-First-Site-Name > 04/14/2015 17:40:32:440 Options: 0x40000003 > 04/14/2015 17:40:32:440 NetpDoInitiateOfflineDomainJoin > 04/14/2015 17:40:32:440 NetpDoInitiateOfflineDomainJoin: Setting > backup/restore privileges > 04/14/2015 17:40:32:440 NetpInitiateOfflineJoin > 04/14/2015 17:40:32:440 lpLocalRegistryPath: > C:\WINDOWS\system32\config\SYSTEM > 04/14/2015 17:40:32:440 dwOptions: 0x40000003 > 04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: Translating > provisioning data to internal format > 04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: Selecting version 1 > 04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: exiting: 0x0 > 04/14/2015 17:40:32:440 NetpInitiateOfflineJoin: RegLoadKeyW failed to > load the hive C:\WINDOWS\system32\config\SYSTEM: 0x522 > 04/14/2015 17:40:32:440 NetpClearFullJoinState: Removing cached state > from the registry... > 04/14/2015 17:40:32:440 NetpClearFullJoinState: Status of deleting join > state key 0x6 > 04/14/2015 17:40:32:455 NetpDoInitiateOfflineDomainJoin: status: 0xa9d > 04/14/2015 17:40:32:455 NetRequestOfflineDomainJoin: Failed to initiate > the offline domain join 0xa9d > 04/14/2015 17:40:32:455 NetpJoinDomainOnDs: Function exits with status of: > 0xa9d > 04/14/2015 17:40:32:455 NetpJoinDomainOnDs: status of disconnecting from > '\\adds.psftw.local': 0x0 > 04/14/2015 17:40:32:455 NetpDoDomainJoin: status: 0xa9d > > > > The information transmitted is intended only for the person or entity to > which it is addressed > and may contain CONFIDENTIAL material. If you receive this > material/information in error, > please contact the sender and delete or destroy the material/information. > > >
