Reread your previous email and I missed it initially. You actually don't need domain credentials from domain A, but either way, I would do it in two steps, remove from domain and join domain B after. If reboot is required, you would auto login the local account.
Cesar A On Apr 14, 2015 4:47 AM, "David O'Brien" <[email protected]> wrote: > I am not doing offline domain join,I reckon that is just what the log > says. > > And I am using an account that is a machine local account (User C). > > Sent from my Windows Phone > ------------------------------ > From: elsalvoz <[email protected]> > Sent: 14/04/2015 9:35 PM > To: [email protected] > Subject: Re: [mssms] Domain join via Add-Computer or WMI > > What Daniel is referring to local to the system, once a system disjoint > a domain, domain accounts do not have local permission. > > You need to use system local administration or an account with local > administration privilege during the rejoin. > > This is the process to manually rejoin a system to a domain but I have > never done offline join before. > > Cesar A > On Apr 14, 2015 3:51 AM, "David O'Brien" <[email protected]> wrote: > > I've got three users. > > User A: Domain Admin in Domain A > User B: Domain Admin in Domain B > User C: Local Admin on computer that is being migrated (this user creates > the elevated session) > > I do the following: > > $script:session = New-PSSession -Credential $credUserC -ComputerName > localhost > Invoke-Command -Session $session -ScriptBlock { Add-Computer -ComputerName > localhost -Credential $args[0] -DomainName $args[1] -UnjoinDomainCredential > $args[2] } -ArgumentList $credUserB, $DomainName, $credUserA > > This doesn't work. > > Strange issue. > > From: Daniel Ratliff > Reply-To: <[email protected]> > Date: Tuesday, 14 April 2015 8:16 pm > To: "'[email protected]'", "'[email protected]'" > Subject: RE: [mssms] Domain join via Add-Computer or WMI > > Didn't read through all the logs, but is user a DA in domain a? Once you > disjoin domain a, wouldn't they lose all admin? You need a local account to > join domain b? > > -----Original Message----- > *From: *David O'Brien [[email protected]] > *Sent: *Tuesday, April 14, 2015 04:01 AM Eastern Standard Time > *To: *[email protected] > *Subject: *[mssms] Domain join via Add-Computer or WMI > > Hi, > > Slightly OT, but maybe someone has seen this before. > > I have to "migrate" a computer from Domain A to Domain B, trigger for > that is a User logging in, so we are executing this from a Logon script. > The issue I'm seeing is that in my tests now the unjoin from Domain A > works fine (which implies that all local permissions are ok and elevation > of the script works, logged on user does not have permissions in this case, > hence we need elevation), but the join fails with this. > PSFTW\adobrien is the user used for elevation and is now a member of > Domain Admins and Local Admins. > > Seen this before? Why is it mentioning "Offline Domain Join"? Why did it > fail to load the registry hive? > > Thanks, > David > > 04/14/2015 17:40:31:908 NetpDoDomainJoin > 04/14/2015 17:40:31:908 NetpMachineValidToJoin: 'WIN7002' > 04/14/2015 17:40:31:908 OS Version: 6.1 > 04/14/2015 17:40:31:908 Build number: 7601 (7601.win7sp1_ldr.130828-1532) > 04/14/2015 17:40:31:908 ServicePack: Service Pack 1 > 04/14/2015 17:40:31:908 SKU: Windows 7 Enterprise > 04/14/2015 17:40:31:908 NetpDomainJoinLicensingCheck: ulLicenseValue=1, > Status: 0x0 > 04/14/2015 17:40:31:908 NetpGetLsaPrimaryDomain: status: 0x0 > 04/14/2015 17:40:31:908 NetpMachineValidToJoin: status: 0x0 > 04/14/2015 17:40:31:908 NetpJoinDomain > 04/14/2015 17:40:31:908 Machine: WIN7002 > 04/14/2015 17:40:31:908 Domain: psftw.local > 04/14/2015 17:40:31:908 MachineAccountOU: (NULL) > 04/14/2015 17:40:31:908 Account: psftw\adobrien > 04/14/2015 17:40:31:908 Options: 0x17 > 04/14/2015 17:40:31:908 NetpLoadParameters: loading registry parameters... > 04/14/2015 17:40:31:908 NetpLoadParameters: DNSNameResolutionRequired not > found, defaulting to '1' 0x2 > 04/14/2015 17:40:31:908 NetpLoadParameters: DomainCompatibilityMode not > found, defaulting to '0' 0x2 > 04/14/2015 17:40:31:908 NetpLoadParameters: status: 0x2 > 04/14/2015 17:40:31:908 NetpValidateName: checking to see if 'psftw.local' > is valid as type 3 name > 04/14/2015 17:40:32:033 NetpCheckDomainNameIsValid [ Exists ] for > 'psftw.local' returned 0x0 > 04/14/2015 17:40:32:033 NetpValidateName: name 'psftw.local' is valid for > type 3 > 04/14/2015 17:40:32:033 NetpDsGetDcName: trying to find DC in domain > 'psftw.local', flags: 0x40001010 > 04/14/2015 17:40:32:143 NetpLoadParameters: loading registry parameters... > 04/14/2015 17:40:32:143 NetpLoadParameters: DNSNameResolutionRequired not > found, defaulting to '1' 0x2 > 04/14/2015 17:40:32:143 NetpLoadParameters: DomainCompatibilityMode not > found, defaulting to '0' 0x2 > 04/14/2015 17:40:32:143 NetpLoadParameters: status: 0x2 > 04/14/2015 17:40:32:143 NetpDsGetDcName: status of verifying DNS A record > name resolution for 'adds.psftw.local': 0x0 > 04/14/2015 17:40:32:143 NetpDsGetDcName: found DC '\\adds.psftw.local' in > the specified domain > 04/14/2015 17:40:32:143 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0 > 04/14/2015 17:40:32:205 NetpJoinDomain: status of connecting to dc > '\\adds.psftw.local': 0x0 > 04/14/2015 17:40:32:205 NetpProvisionComputerAccount: > 04/14/2015 17:40:32:205 lpDomain: psftw.local > 04/14/2015 17:40:32:205 lpMachineName: WIN7002 > 04/14/2015 17:40:32:205 lpMachineAccountOU: (NULL) > 04/14/2015 17:40:32:205 lpDcName: adds.psftw.local > 04/14/2015 17:40:32:205 lpDnsHostName: (NULL) > 04/14/2015 17:40:32:205 lpMachinePassword: (null) > 04/14/2015 17:40:32:205 lpAccount: psftw\adobrien > 04/14/2015 17:40:32:205 lpPassword: (non-null) > 04/14/2015 17:40:32:205 dwJoinOptions: 0x17 > 04/14/2015 17:40:32:205 dwOptions: 0x40000003 > 04/14/2015 17:40:32:252 NetpLdapBind: Verified minimum encryption strength > on adds.psftw.local: 0x0 > 04/14/2015 17:40:32:252 NetpLdapGetLsaPrimaryDomain: reading domain data > 04/14/2015 17:40:32:252 NetpGetNCData: Reading NC data > 04/14/2015 17:40:32:252 NetpGetDomainData: Lookup domain data for: > DC=psftw,DC=local > 04/14/2015 17:40:32:252 NetpGetDomainData: Lookup crossref data for: > CN=Partitions,CN=Configuration,DC=psftw,DC=local > 04/14/2015 17:40:32:252 NetpLdapGetLsaPrimaryDomain: result of retrieving > domain data: 0x0 > 04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Cracking DNS domain name > psftw.local/ into Netbios on \\adds.psftw.local > 04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Crack results: name = > PSFTW\ > 04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Cracking account name > PSFTW\WIN7002$ on \\adds.psftw.local > 04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Crack results: (Account > already exists) DN = CN=WIN7002,OU=Servers,DC=psftw,DC=local > 04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Initial attribute > values: > 04/14/2015 17:40:32:283 objectClass = Computer > 04/14/2015 17:40:32:283 SamAccountName = WIN7002$ > 04/14/2015 17:40:32:283 userAccountControl = 0x1000 > 04/14/2015 17:40:32:283 DnsHostName = WIN7002.psftw.local > 04/14/2015 17:40:32:283 ServicePrincipalName = HOST/WIN7002.psftw.local > RestrictedKrbHost/WIN7002.psftw.local HOST/WIN7002 > RestrictedKrbHost/WIN7002 > 04/14/2015 17:40:32:283 unicodePwd = <SomePassword> > 04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Computer Object > already exists in OU: > 04/14/2015 17:40:32:283 objectClass = top person organizationalPerson > user computer > 04/14/2015 17:40:32:283 SamAccountName = WIN7002$ > 04/14/2015 17:40:32:283 userAccountControl = 0x1000 > 04/14/2015 17:40:32:283 DnsHostName = WIN7002.psftw.local > 04/14/2015 17:40:32:283 ServicePrincipalName = WSMAN/WIN7002 > WSMAN/WIN7002.psftw.local RestrictedKrbHost/WIN7002 HOST/WIN7002 > RestrictedKrbHost/WIN7002.psftw.local HOST/WIN7002.psftw.local > 04/14/2015 17:40:32:283 unicodePwd = Account exists, resetting password: > <SomePassword> > 04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Attribute values to > set: > 04/14/2015 17:40:32:283 unicodePwd = <SomePassword> > 04/14/2015 17:40:32:424 NetpModifyComputerObjectInDs: Toggled > UserAccountControl successfully > 04/14/2015 17:40:32:424 NetpEncodeProvisioningBlob: Encoding provisioning > data > 04/14/2015 17:40:32:424 NetpInitBlobWin7: Constructing blob... > 04/14/2015 17:40:32:424 Blob version: 1 > 04/14/2015 17:40:32:424 lpDomain: psftw.local > 04/14/2015 17:40:32:424 lpMachineName: WIN7002 > 04/14/2015 17:40:32:424 lpMachinePassword: <omitted from log> > 04/14/2015 17:40:32:424 DomainDnsPolicy: > 04/14/2015 17:40:32:424 Name: PSFTW > 04/14/2015 17:40:32:424 DnsDomainName: psftw.local > 04/14/2015 17:40:32:424 DnsForestName: psftw.local > 04/14/2015 17:40:32:424 DomainGuid: > 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88 > 04/14/2015 17:40:32:424 Sid: S-1-5-21-1080266623-2751979810-671634313 > 04/14/2015 17:40:32:424 DcInfo: > 04/14/2015 17:40:32:424 DomainControllerName: \\adds.psftw.local > 04/14/2015 17:40:32:424 DomainControllerAddress: \\192.168.1.9 > 04/14/2015 17:40:32:424 DomainControllerAddressType: 1 > 04/14/2015 17:40:32:424 DomainGuid: > 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88 > 04/14/2015 17:40:32:424 DomainName: psftw.local > 04/14/2015 17:40:32:424 DnsForestName: psftw.local > 04/14/2015 17:40:32:424 Flags: 0xe000f3fd > 04/14/2015 17:40:32:424 DcSiteName: Default-First-Site-Name > 04/14/2015 17:40:32:424 ClientSiteName: Default-First-Site-Name > 04/14/2015 17:40:32:424 Options: 0x40000003 > 04/14/2015 17:40:32:424 NetpInitBlobWin7: Blob pickling result: 0 > 04/14/2015 17:40:32:424 NetpEncodeProvisioningBlob: result: 0x0 > 04/14/2015 17:40:32:424 ldap_unbind status: 0x0 > 04/14/2015 17:40:32:440 NetpRequestOfflineDomainJoin: > 04/14/2015 17:40:32:440 dwProvisionBinDataSize: 912 > 04/14/2015 17:40:32:440 JoinOptions: 0x17 > 04/14/2015 17:40:32:440 Options: 0x40000003 > 04/14/2015 17:40:32:440 lpWindowsPath: C:\WINDOWS > 04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Unpickling > provisioning blob with size 912 bytes > 04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Searching 1 blobs for > supported ODJ blob, highest supported version: 1 > 04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Found ODJ blob > version: 1 > 04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Selected ODJ blob > version: 1 > 04/14/2015 17:40:32:440 Blob version: 1 > 04/14/2015 17:40:32:440 lpDomain: psftw.local > 04/14/2015 17:40:32:440 lpMachineName: WIN7002 > 04/14/2015 17:40:32:440 lpMachinePassword: <omitted from log> > 04/14/2015 17:40:32:440 DomainDnsPolicy: > 04/14/2015 17:40:32:440 Name: PSFTW > 04/14/2015 17:40:32:440 DnsDomainName: psftw.local > 04/14/2015 17:40:32:440 DnsForestName: psftw.local > 04/14/2015 17:40:32:440 DomainGuid: > 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88 > 04/14/2015 17:40:32:440 Sid: S-1-5-21-1080266623-2751979810-671634313 > 04/14/2015 17:40:32:440 DcInfo: > 04/14/2015 17:40:32:440 DomainControllerName: \\adds.psftw.local > 04/14/2015 17:40:32:440 DomainControllerAddress: \\192.168.1.9 > 04/14/2015 17:40:32:440 DomainControllerAddressType: 1 > 04/14/2015 17:40:32:440 DomainGuid: > 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88 > 04/14/2015 17:40:32:440 DomainName: psftw.local > 04/14/2015 17:40:32:440 DnsForestName: psftw.local > 04/14/2015 17:40:32:440 Flags: 0xe000f3fd > 04/14/2015 17:40:32:440 DcSiteName: Default-First-Site-Name > 04/14/2015 17:40:32:440 ClientSiteName: Default-First-Site-Name > 04/14/2015 17:40:32:440 Options: 0x40000003 > 04/14/2015 17:40:32:440 NetpDoInitiateOfflineDomainJoin > 04/14/2015 17:40:32:440 NetpDoInitiateOfflineDomainJoin: Setting > backup/restore privileges > 04/14/2015 17:40:32:440 NetpInitiateOfflineJoin > 04/14/2015 17:40:32:440 lpLocalRegistryPath: > C:\WINDOWS\system32\config\SYSTEM > 04/14/2015 17:40:32:440 dwOptions: 0x40000003 > 04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: Translating > provisioning data to internal format > 04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: Selecting version 1 > 04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: exiting: 0x0 > 04/14/2015 17:40:32:440 NetpInitiateOfflineJoin: RegLoadKeyW failed to > load the hive C:\WINDOWS\system32\config\SYSTEM: 0x522 > 04/14/2015 17:40:32:440 NetpClearFullJoinState: Removing cached state > from the registry... > 04/14/2015 17:40:32:440 NetpClearFullJoinState: Status of deleting join > state key 0x6 > 04/14/2015 17:40:32:455 NetpDoInitiateOfflineDomainJoin: status: 0xa9d > 04/14/2015 17:40:32:455 NetRequestOfflineDomainJoin: Failed to initiate > the offline domain join 0xa9d > 04/14/2015 17:40:32:455 NetpJoinDomainOnDs: Function exits with status of: > 0xa9d > 04/14/2015 17:40:32:455 NetpJoinDomainOnDs: status of disconnecting from > '\\adds.psftw.local': 0x0 > 04/14/2015 17:40:32:455 NetpDoDomainJoin: status: 0xa9d > > > > The information transmitted is intended only for the person or entity to > which it is addressed > and may contain CONFIDENTIAL material. If you receive this > material/information in error, > please contact the sender and delete or destroy the material/information. > > > > >
