Hi,
I’m trying to remotely add a computer to a domain, I’m following the proper syntax and all and it seems to work however I get an ACCESS DENIED error and of course the PC is not added to the domain, what makes me scratch my head is, why? the credentials for the local machine are correct and the same for the domain account, also, I’m running the PS session as a domain admin, so, why the access denied message?
Can you run remote commands on the remote computer at all?
You have OriginalName\AdminAccount in your command. Do you get prompted for the password?
Did you try to prepopulate the credentials in a variable and use those in the command?
Can you run the command locally on the computer?
Regardless of that - you know that you don’t need to use a domain admin to join a computer to the domain, don’t you? And actually you should not. By default every domain user can join a computer to a domain. And the domain admin is only made to manage the domain - not clients.
Yes, I get prompted for both passwords, I do not save them in a variable I type them in. These systems do not have PS remoting enabled but I can use PS without a problem, running Add-Computer on the local machine works fine, the problem I have is when I want to do it remotely.
My first instinct is this is a double hop issue. The pssession is one hop but trying to add the remote computer to the domain would require the credentials to be passed to the domain controller which would be a second hop and world require credential delegation with CredSSP.
I typically get around this by using PowerShell Direct if my hypervisor is Hyper-V or PowerCLI’s invoke-vmscript if vmwaretools are installed on my guest VM on a ESXi host. This doesn’t encounter the double hop issue as the command is executed directly from the VM guest via the hypervisor bus/tools.
It is not a 2nd hop, since the syntax for that cmdlet is like that, the problem here is permissions, I have no clue why I get an access denied error when I’m using the proper credentials and privileges.
I don’t know how this would help, having the credentials in variables that is.
Anyway, this seem to be a credentials issue but only when is done remotely, I’ll keep playing with it and hopefully find an answer, what bothers me though, is that I’m following the syntax and process to the letter and fails.
Thanks