privileges and ldap commands

by Trepidation at 2013-01-11 15:21:58

Argh, 3rd time writing this, 1st time was too packed with… superflous information, 2nd got eaten by phpbb

Anyways, I have a powershell script that runs after I image a windows7 workstation. Once the machine boots up, it prompts me to name it, then performs an autologin as the administrator account and runs the script. For the most part, the script asks for credentials to join the domain (and joins) and then installs whatever applications it needs depending on if it is a laptop/desktop/tablet and so on.

I was wondering if there was a way I could use the credentials supplied to issue ldap commands to delete the computer name from AD if the PC I am trying to join to the domain already exists. I say ldap, because I am not aware of any other way to do this with the built in components of the workstation. Sorry if I use any incorrect terms, I am just trying to smooth out a process for reimaging.
by DonJ at 2013-01-11 15:29:16

There are probably options. If you can enable Remoting on a Win2008R2 or Win2012 domain controller, your client could use Invoke-Command - which accepts credentials - over to the DC, and ask the DC to run Remove-ADComputer. That’d be "the right way" to do this. You’d only need one DC for that, and just hardcode that DC’s name into the script. You wouldn’t need the AD commands on the client - just PowerShell, which you’ve got.

Short of getting really gnarly into the .NET Framework, there’s no an easy way in PowerShell to specify an alternate credential for an LDAP connection. Now, if you’re already deep in the Framework and don’t mind getting deeper, hie yourself over to where the .NET nerds hang out and see what they say.
by Infradeploy at 2013-01-14 04:08:13
With adisearcher you can supply alternate credentials:

$domainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext("Domain","domain.local")
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($domainContext)
$root = $domain.GetDirectoryEntry()
$ds = [adsisearcher]$root