Join a Computer to a domain with VBScript

By | 2013-10-21

When deploying large numbers of computers, there are several methods of joining a machine to a domain.  Since I am a big fan of VBScript (shhh!), I use this method to join the machine.

This VBScript works in all version of Windows, from Win95 to present day. You should be able to inject this machine at the end of your deployment process in order to automatically join it to the domain after deployment.

I know this is magic by any means, but I’ve been asked for it more than twice, so here it is for everyone.  Any questions, post a comment here or in the forums.

Const JOIN_DOMAIN = 1
Const ACCT_CREATE = 2
Const ACCT_DELETE = 4
Const WIN9X_UPGRADE = 16
Const DOMAIN_JOIN_IF_JOINED = 32
Const JOIN_UNSECURE = 64
Const MACHINE_PASSWORD_PASSED = 128
Const DEFERRED_SPN_SET = 256
Const INSTALL_INVOCATION = 262144
 
strDomain = "YourDomainName"
strPassword = "ServiceAccountPassword"
strUser = "ServiceAccount"
 
Set objNetwork = CreateObject("WScript.Network")
strComputer = objNetwork.ComputerName
 
Set objComputer = GetObject("winmgmts:{impersonationLevel=Impersonate}!\\" & _
strComputer & "\root\cimv2:Win32_ComputerSystem.Name='" & _
strComputer & "'")
 
ReturnValue = objComputer.JoinDomainOrWorkGroup(strDomain, _
strPassword, strDomain & "\" & strUser, NULL, _
JOIN_DOMAIN + ACCT_CREATE)

What’s Happening

The first section of the script sets some constants.  Not all of these constants are needed for this short little script, but I’ve included them all here for completeness.  The only two that are used for this function are Join_Domain and Acct_Create.  These are pretty self explanatory, I think.

The second section sets up some variables, namely the domain name you are joining to, and authentication information (username and password) for an account that the necessary permissions to join a machine to the domain.  Note that you should not utilize an account that has elevated permissions.  This account should be a domain user that does not have the “10-join limit” of regular accounts.  In all other aspects, the account shouldn’t have any further rights.  Not even interactive login permissions. Why?  Because you’re storing the authentication information in plain text, in a file.

Next, we are grabbing the name of the local computer, and setting up impersonation.  This will be used in the join/create operation.

Finally, the join/create operation is executed, with the returned success/fail value stored in a variable, in case you want to perform some other function depending on the outcome of the operation.

Author: dwirch

Derek Wirch is a seasoned IT professional with an impressive career dating back to 1986. He brings a wealth of knowledge and hands-on experience that is invaluable to those embarking on their journey in the tech industry.

Leave a Reply

Your email address will not be published. Required fields are marked *