Search Tools Links Login

Join a Computer to a domain with VBScript

When deploying large numbers of computers, there are several methods of joining a machine to a domain.  Since I am a big fan of VBScript (shhh!), I use this method to join the machine.

This VBScript works in all version of Windows, from Win95 to present day. You should be able to inject this machine at the end of your deployment process in order to automatically join it to the domain after deployment.

I know this is magic by any means, but I've been asked for it more than twice, so here it is for everyone.  Any questions, post a comment here or in the forums.

Const JOIN_DOMAIN = 1
Const ACCT_CREATE = 2
Const ACCT_DELETE = 4
Const WIN9X_UPGRADE = 16
Const DOMAIN_JOIN_IF_JOINED = 32
Const JOIN_UNSECURE = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET = 256
Const INSTALL_INVOCATION = 262144
 
strDomain = "YourDomainName"
strPassword = "ServiceAccountPassword"
strUser = "ServiceAccount"
 
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
 
Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & _
strComputer & "'")
 
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _
strPassword, strDomain & "\" & strUser, NULL, _
JOIN_DOMAIN + ACCT_CREATE)

What's Happening

The first section of the script sets some constants.  Not all of these constants are needed for this short little script, but I've included them all here for completeness.  The only two that are used for this function are Join_Domain and Acct_Create.  These are pretty self explanatory, I think.

The second section sets up some variables, namely the domain name you are joining to, and authentication information (username and password) for an account that the necessary permissions to join a machine to the domain.  Note that you should not utilize an account that has elevated permissions.  This account should be a domain user that does not have the "10-join limit" of regular accounts.  In all other aspects, the account shouldn't have any further rights.  Not even interactive login permissions. Why?  Because you're storing the authentication information in plain text, in a file.

Next, we are grabbing the name of the local computer, and setting up impersonation.  This will be used in the join/create operation.

Finally, the join/create operation is executed, with the returned success/fail value stored in a variable, in case you want to perform some other function depending on the outcome of the operation.

About this post

Posted: 2013-10-21
By: dwirch
Viewed: 4,197 times

Categories

Tip

Scripting

Visual Basic Script (VBS)

Windows

Attachments

No attachments for this post

Loading Comments ...

Comments

AnonymousCoward posted this comment on 2016-04-21:

I noticed that the code there maybe compatible with windows 7 or lower. Would the same code be used for Windows 10 or is there any modifications to the script? I tried to make chanes to the script whilst trying to run it on a windows 10 PC and so far nothing has happened. The most i got was a message sayig return value = 5, I clicked ok and it shutdown on me. Does anyone know a solution?

AnonymousCoward posted this comment on 2017-09-07:

value = 5 means access denied, make sure the user id you are using has access to add computer to domain.

You must be logged in to make a comment.