I went through this a while back and I’m trying to remember what the details were. I ended up having to be very literal about which accounts to use where. Getting it unjoined was pretty easy, local admin creds to change the membership of the computer from domain to local, but getting it rejoined was the harder part because you have to provide two sets of credentials, local creds because the local creds are allowed to change the membership of the computer, but also domain b creds because you have to have rights to join the computer to the object in the domain. Domain b creds have to be on the object in domain b.
Try Add-computer –computername ‘computer1’ –domain domainB –localcredential UserC –unjoindomaincredential UserA –credential UserB –restart Example 6 - https://technet.microsoft.com/en-us/library/hh849798.aspx Todd From: [email protected] [mailto:[email protected]] On Behalf Of David O'Brien Sent: Tuesday, April 14, 2015 7:32 AM To: [email protected] Subject: RE: [mssms] Domain join via Add-Computer or WMI Will try without the unjoincredentials. Don't want to reboot in-between, because all this has to be executed from a logon script. Sent from my Windows Phone ________________________________ From: elsalvoz<mailto:[email protected]> Sent: 14/04/2015 10:14 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Domain join via Add-Computer or WMI Reread your previous email and I missed it initially. You actually don't need domain credentials from domain A, but either way, I would do it in two steps, remove from domain and join domain B after. If reboot is required, you would auto login the local account. Cesar A On Apr 14, 2015 4:47 AM, "David O'Brien" <[email protected]<mailto:[email protected]>> wrote: I am not doing offline domain join,I reckon that is just what the log says. And I am using an account that is a machine local account (User C). Sent from my Windows Phone ________________________________ From: elsalvoz<mailto:[email protected]> Sent: 14/04/2015 9:35 PM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] Domain join via Add-Computer or WMI What Daniel is referring to local to the system, once a system disjoint a domain, domain accounts do not have local permission. You need to use system local administration or an account with local administration privilege during the rejoin. This is the process to manually rejoin a system to a domain but I have never done offline join before. Cesar A On Apr 14, 2015 3:51 AM, "David O'Brien" <[email protected]<mailto:[email protected]>> wrote: I've got three users. User A: Domain Admin in Domain A User B: Domain Admin in Domain B User C: Local Admin on computer that is being migrated (this user creates the elevated session) I do the following: $script:session = New-PSSession -Credential $credUserC -ComputerName localhost Invoke-Command -Session $session -ScriptBlock { Add-Computer -ComputerName localhost -Credential $args[0] -DomainName $args[1] -UnjoinDomainCredential $args[2] } -ArgumentList $credUserB, $DomainName, $credUserA This doesn't work. Strange issue. From: Daniel Ratliff Reply-To: <[email protected]<mailto:[email protected]>> Date: Tuesday, 14 April 2015 8:16 pm To: "'[email protected]<mailto:'[email protected]>'", "'[email protected]<mailto:'[email protected]>'" Subject: RE: [mssms] Domain join via Add-Computer or WMI Didn't read through all the logs, but is user a DA in domain a? Once you disjoin domain a, wouldn't they lose all admin? You need a local account to join domain b? -----Original Message----- From: David O'Brien [[email protected]<mailto:[email protected]>] Sent: Tuesday, April 14, 2015 04:01 AM Eastern Standard Time To: [email protected]<mailto:[email protected]> Subject: [mssms] Domain join via Add-Computer or WMI Hi, Slightly OT, but maybe someone has seen this before. I have to "migrate" a computer from Domain A to Domain B, trigger for that is a User logging in, so we are executing this from a Logon script. The issue I'm seeing is that in my tests now the unjoin from Domain A works fine (which implies that all local permissions are ok and elevation of the script works, logged on user does not have permissions in this case, hence we need elevation), but the join fails with this. PSFTW\adobrien is the user used for elevation and is now a member of Domain Admins and Local Admins. Seen this before? Why is it mentioning "Offline Domain Join"? Why did it fail to load the registry hive? Thanks, David 04/14/2015 17:40:31:908 NetpDoDomainJoin 04/14/2015 17:40:31:908 NetpMachineValidToJoin: 'WIN7002' 04/14/2015 17:40:31:908 OS Version: 6.1 04/14/2015 17:40:31:908 Build number: 7601 (7601.win7sp1_ldr.130828-1532) 04/14/2015 17:40:31:908 ServicePack: Service Pack 1 04/14/2015 17:40:31:908 SKU: Windows 7 Enterprise 04/14/2015 17:40:31:908 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0 04/14/2015 17:40:31:908 NetpGetLsaPrimaryDomain: status: 0x0 04/14/2015 17:40:31:908 NetpMachineValidToJoin: status: 0x0 04/14/2015 17:40:31:908 NetpJoinDomain 04/14/2015 17:40:31:908 Machine: WIN7002 04/14/2015 17:40:31:908 Domain: psftw.local 04/14/2015 17:40:31:908 MachineAccountOU: (NULL) 04/14/2015 17:40:31:908 Account: psftw\adobrien 04/14/2015 17:40:31:908 Options: 0x17 04/14/2015 17:40:31:908 NetpLoadParameters: loading registry parameters... 04/14/2015 17:40:31:908 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2 04/14/2015 17:40:31:908 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2 04/14/2015 17:40:31:908 NetpLoadParameters: status: 0x2 04/14/2015 17:40:31:908 NetpValidateName: checking to see if 'psftw.local' is valid as type 3 name 04/14/2015 17:40:32:033 NetpCheckDomainNameIsValid [ Exists ] for 'psftw.local' returned 0x0 04/14/2015 17:40:32:033 NetpValidateName: name 'psftw.local' is valid for type 3 04/14/2015 17:40:32:033 NetpDsGetDcName: trying to find DC in domain 'psftw.local', flags: 0x40001010 04/14/2015 17:40:32:143 NetpLoadParameters: loading registry parameters... 04/14/2015 17:40:32:143 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2 04/14/2015 17:40:32:143 NetpLoadParameters: DomainCompatibilityMode not found, defaulting to '0' 0x2 04/14/2015 17:40:32:143 NetpLoadParameters: status: 0x2 04/14/2015 17:40:32:143 NetpDsGetDcName: status of verifying DNS A record name resolution for 'adds.psftw.local': 0x0 04/14/2015 17:40:32:143 NetpDsGetDcName: found DC '\\adds.psftw.local' in the specified domain 04/14/2015 17:40:32:143 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0 04/14/2015 17:40:32:205 NetpJoinDomain: status of connecting to dc '\\adds.psftw.local': 0x0 04/14/2015 17:40:32:205 NetpProvisionComputerAccount: 04/14/2015 17:40:32:205 lpDomain: psftw.local 04/14/2015 17:40:32:205 lpMachineName: WIN7002 04/14/2015 17:40:32:205 lpMachineAccountOU: (NULL) 04/14/2015 17:40:32:205 lpDcName: adds.psftw.local 04/14/2015 17:40:32:205 lpDnsHostName: (NULL) 04/14/2015 17:40:32:205 lpMachinePassword: (null) 04/14/2015 17:40:32:205 lpAccount: psftw\adobrien 04/14/2015 17:40:32:205 lpPassword: (non-null) 04/14/2015 17:40:32:205 dwJoinOptions: 0x17 04/14/2015 17:40:32:205 dwOptions: 0x40000003 04/14/2015 17:40:32:252 NetpLdapBind: Verified minimum encryption strength on adds.psftw.local: 0x0 04/14/2015 17:40:32:252 NetpLdapGetLsaPrimaryDomain: reading domain data 04/14/2015 17:40:32:252 NetpGetNCData: Reading NC data 04/14/2015 17:40:32:252 NetpGetDomainData: Lookup domain data for: DC=psftw,DC=local 04/14/2015 17:40:32:252 NetpGetDomainData: Lookup crossref data for: CN=Partitions,CN=Configuration,DC=psftw,DC=local 04/14/2015 17:40:32:252 NetpLdapGetLsaPrimaryDomain: result of retrieving domain data: 0x0 04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Cracking DNS domain name psftw.local/ into Netbios on \\adds.psftw.local<file:///\\adds.psftw.local> 04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Crack results: name = PSFTW\ 04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Cracking account name PSFTW\WIN7002$ on \\adds.psftw.local<file:///\\adds.psftw.local> 04/14/2015 17:40:32:283 NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=WIN7002,OU=Servers,DC=psftw,DC=local 04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Initial attribute values: 04/14/2015 17:40:32:283 objectClass = Computer 04/14/2015 17:40:32:283 SamAccountName = WIN7002$ 04/14/2015 17:40:32:283 userAccountControl = 0x1000 04/14/2015 17:40:32:283 DnsHostName = WIN7002.psftw.local 04/14/2015 17:40:32:283 ServicePrincipalName = HOST/WIN7002.psftw.local RestrictedKrbHost/WIN7002.psftw.local HOST/WIN7002 RestrictedKrbHost/WIN7002 04/14/2015 17:40:32:283 unicodePwd = <SomePassword> 04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Computer Object already exists in OU: 04/14/2015 17:40:32:283 objectClass = top person organizationalPerson user computer 04/14/2015 17:40:32:283 SamAccountName = WIN7002$ 04/14/2015 17:40:32:283 userAccountControl = 0x1000 04/14/2015 17:40:32:283 DnsHostName = WIN7002.psftw.local 04/14/2015 17:40:32:283 ServicePrincipalName = WSMAN/WIN7002 WSMAN/WIN7002.psftw.local RestrictedKrbHost/WIN7002 HOST/WIN7002 RestrictedKrbHost/WIN7002.psftw.local HOST/WIN7002.psftw.local 04/14/2015 17:40:32:283 unicodePwd = Account exists, resetting password: <SomePassword> 04/14/2015 17:40:32:283 NetpModifyComputerObjectInDs: Attribute values to set: 04/14/2015 17:40:32:283 unicodePwd = <SomePassword> 04/14/2015 17:40:32:424 NetpModifyComputerObjectInDs: Toggled UserAccountControl successfully 04/14/2015 17:40:32:424 NetpEncodeProvisioningBlob: Encoding provisioning data 04/14/2015 17:40:32:424 NetpInitBlobWin7: Constructing blob... 04/14/2015 17:40:32:424 Blob version: 1 04/14/2015 17:40:32:424 lpDomain: psftw.local 04/14/2015 17:40:32:424 lpMachineName: WIN7002 04/14/2015 17:40:32:424 lpMachinePassword: <omitted from log> 04/14/2015 17:40:32:424 DomainDnsPolicy: 04/14/2015 17:40:32:424 Name: PSFTW 04/14/2015 17:40:32:424 DnsDomainName: psftw.local 04/14/2015 17:40:32:424 DnsForestName: psftw.local 04/14/2015 17:40:32:424 DomainGuid: 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88 04/14/2015 17:40:32:424 Sid: S-1-5-21-1080266623-2751979810-671634313 04/14/2015 17:40:32:424 DcInfo: 04/14/2015 17:40:32:424 DomainControllerName: \\adds.psftw.local<file:///\\adds.psftw.local> 04/14/2015 17:40:32:424 DomainControllerAddress: \\192.168.1.9<file:///\\192.168.1.9> 04/14/2015 17:40:32:424 DomainControllerAddressType: 1 04/14/2015 17:40:32:424 DomainGuid: 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88 04/14/2015 17:40:32:424 DomainName: psftw.local 04/14/2015 17:40:32:424 DnsForestName: psftw.local 04/14/2015 17:40:32:424 Flags: 0xe000f3fd 04/14/2015 17:40:32:424 DcSiteName: Default-First-Site-Name 04/14/2015 17:40:32:424 ClientSiteName: Default-First-Site-Name 04/14/2015 17:40:32:424 Options: 0x40000003 04/14/2015 17:40:32:424 NetpInitBlobWin7: Blob pickling result: 0 04/14/2015 17:40:32:424 NetpEncodeProvisioningBlob: result: 0x0 04/14/2015 17:40:32:424 ldap_unbind status: 0x0 04/14/2015 17:40:32:440 NetpRequestOfflineDomainJoin: 04/14/2015 17:40:32:440 dwProvisionBinDataSize: 912 04/14/2015 17:40:32:440 JoinOptions: 0x17 04/14/2015 17:40:32:440 Options: 0x40000003 04/14/2015 17:40:32:440 lpWindowsPath: C:\WINDOWS 04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Unpickling provisioning blob with size 912 bytes 04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Searching 1 blobs for supported ODJ blob, highest supported version: 1 04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Found ODJ blob version: 1 04/14/2015 17:40:32:440 NetpDecodeProvisioningBlob: Selected ODJ blob version: 1 04/14/2015 17:40:32:440 Blob version: 1 04/14/2015 17:40:32:440 lpDomain: psftw.local 04/14/2015 17:40:32:440 lpMachineName: WIN7002 04/14/2015 17:40:32:440 lpMachinePassword: <omitted from log> 04/14/2015 17:40:32:440 DomainDnsPolicy: 04/14/2015 17:40:32:440 Name: PSFTW 04/14/2015 17:40:32:440 DnsDomainName: psftw.local 04/14/2015 17:40:32:440 DnsForestName: psftw.local 04/14/2015 17:40:32:440 DomainGuid: 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88 04/14/2015 17:40:32:440 Sid: S-1-5-21-1080266623-2751979810-671634313 04/14/2015 17:40:32:440 DcInfo: 04/14/2015 17:40:32:440 DomainControllerName: \\adds.psftw.local<file:///\\adds.psftw.local> 04/14/2015 17:40:32:440 DomainControllerAddress: \\192.168.1.9<file:///\\192.168.1.9> 04/14/2015 17:40:32:440 DomainControllerAddressType: 1 04/14/2015 17:40:32:440 DomainGuid: 6d5d8c99-ceaf-4e3d-8f14-8fa258ef4a88 04/14/2015 17:40:32:440 DomainName: psftw.local 04/14/2015 17:40:32:440 DnsForestName: psftw.local 04/14/2015 17:40:32:440 Flags: 0xe000f3fd 04/14/2015 17:40:32:440 DcSiteName: Default-First-Site-Name 04/14/2015 17:40:32:440 ClientSiteName: Default-First-Site-Name 04/14/2015 17:40:32:440 Options: 0x40000003 04/14/2015 17:40:32:440 NetpDoInitiateOfflineDomainJoin 04/14/2015 17:40:32:440 NetpDoInitiateOfflineDomainJoin: Setting backup/restore privileges 04/14/2015 17:40:32:440 NetpInitiateOfflineJoin 04/14/2015 17:40:32:440 lpLocalRegistryPath: C:\WINDOWS\system32\config\SYSTEM 04/14/2015 17:40:32:440 dwOptions: 0x40000003 04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: Translating provisioning data to internal format 04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: Selecting version 1 04/14/2015 17:40:32:440 NetpConvertBlobToJoinState: exiting: 0x0 04/14/2015 17:40:32:440 NetpInitiateOfflineJoin: RegLoadKeyW failed to load the hive C:\WINDOWS\system32\config\SYSTEM: 0x522 04/14/2015 17:40:32:440 NetpClearFullJoinState: Removing cached state from the registry... 04/14/2015 17:40:32:440 NetpClearFullJoinState: Status of deleting join state key 0x6 04/14/2015 17:40:32:455 NetpDoInitiateOfflineDomainJoin: status: 0xa9d 04/14/2015 17:40:32:455 NetRequestOfflineDomainJoin: Failed to initiate the offline domain join 0xa9d 04/14/2015 17:40:32:455 NetpJoinDomainOnDs: Function exits with status of: 0xa9d 04/14/2015 17:40:32:455 NetpJoinDomainOnDs: status of disconnecting from '\\adds.psftw.local': 0x0 04/14/2015 17:40:32:455 NetpDoDomainJoin: status: 0xa9d The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information.
