I am running a task sequence to decommission the computers on the network (format disk etc. but no OS installation). During this process I want to disable the computer account in AD on which that task sequence is running.
I've written a VB Script that gets the Computer DN, connect to AD and try to disable the object. The script looks something like this:
Set objComputer = GetObject( & computerDN )
objComputer.AccountDisabled = True
objComputer.Put "Description", "Decommissioned"
When I run this script in task sequence step, it throws "general access denied" error. The script successfully updates description if I remove the line: objComputer.AccountDisabled = True
My thoughts are that the Task Sequence runs under "Local System" account and "Local System" account has full permissions on its computer account in AD. Correct me if I am wrong please.
I can run the script under any other domain admin account (run as command line) but I don't see any reason to do this if above is true. (and it is true in case if I only update description).
Any thoughts/ideas will be much appreciated. This Task Sequence step runs in Full Windows mode (not WinPE).