Batch File to Prestage a Computer Account

Posted on by Alan

Batch files are not dead.  Microsoft has said that batch files, and vbscript will be supported into the indefinite future.  And I still write an occasional batch file because the really are quick and easy.  I use the .CMD extension, instead of .BAT, but it does not really matter in execution.

Recently I was asked to write something that would allow for prestaging a computer account in Active Directory.   The code works but is painfully slow.  Still, you may find it useful in your environment.  You could use it with a FOR command to run it against a list of machines overnight: 

@echo off
:: Alan Kaplan, loosely based on 
::http://social.technet.microsoft.com/Forums/en-PH/winserverDS/thread/f0c54de7-3f19-4502-958d-00b4a24a1b03
cls
setlocal
:: ************* mandatory edits here ******************
rem omit LDAP://
set NewPCOU=OU=Windows 7,OU=Test Lab,DC=contoso,DC=com
rem this is the group to grant permission to join
set UserOrGroup=alan.kaplan@contoso.com
:: ********** end edits ******************************

if %1z == z echo PC Accounts will be added to "%NewPCOU%"
if %1z == z echo Granting permissions to %UserOrGroup%
if %1z == z set /p PCName=Add what computer account? &goto AddPC
set PCName=%1

:AddPC
set ComputerDN=cn=%PCName%,%NewPCOU%
dsadd computer "%ComputerDN%"
Echo Granting Permissions to %UserOrGroup%

REM full control of object.  This is really slow ....
dsacls "%ComputerDN%" /G %UserOrGroup%:GA

REM specific join computer rights
REM This is 6 times slower than full control
REM dsacls "%ComputerDN%" /G %UserOrGroup%:CALCGRSDDTRC;;
REM dsacls "%ComputerDN%" /G %UserOrGroup%:WP;description;
REM dsacls "%ComputerDN%" /G %UserOrGroup%:WP;sAMAccountName;
REM dsacls "%ComputerDN%" /G %UserOrGroup%:WP;displayName;
REM dsacls "%ComputerDN%" /G %UserOrGroup%:WP;userAccountControl;
REM dsacls "%ComputerDN%" /G %UserOrGroup%:WS;"Validated write to service principalname";
REM dsacls "%ComputerDN%" /G %UserOrGroup%:WS;"Validated write to DNS host name";

cls 
echo %PCName% added to %NewPCOU%
echo Granted permissions to %UserOrGroup% 
echo %NewPCOU%
:end
endlocal

You will need to edit the script to make it work.  I have set it to Full Permissions, but as  you can see, you can switch to more granular permissions.

Leave a Reply

Terms and Conditions - Privacy Policy