add domain group to local admins using powershell during OSD

[alexferrie]

I'm trying to run a script which will create a group within Active Directory, specific to the server being deployed in an OSD TS, and then add that group to the local admins on the server. The TS completes successfully but the group isn't created, no error is recorded in smsts log file. I can run the script manually on the server after the build completes, so the actual powershell code works, but it fails to do what it's meant to do during OSD. Anyone had any experience of anything similar to this (script is listed below)?

 

#Add Active Directory server admin groups to local administrators
#The script connects to AD, checks for the existence of the groups, creates them if necessarry, then adds them to the local admin
#If the server is in the Test or Dev domains, the additional Domain Local group to allow for permissions to be granted to prod
#domain accounts

#check if the Active Directory powershell module has been imported, import if required.

if (@(get-module | where-object{$_.name -eq "ActiveDirectory"}).count -eq 0)
{
import-module activedirectory
}

#set variables to be used in the script
$comp = gc env:computername
[string]$domainname = (get-addomain -identity (gwmi Win32_ComputerSystem).Domain).NetBIOSName
[string]$domaindn=([adsi]("LDAP://ROOTDSE")).defaultnamingcontext
$domaindn=$domaindn.tostring().toupper()
$path=",OU=Local Server Administration,OU=groups,"+$domaindn
$ggroup = "<groupname>-"+$comp
$ggroupdn="CN="+$ggroup+$path
$dlgroup = "<groupname>-"+$comp+"-L"
$dlgroupdn="CN="+$dlgroup+$path

switch -wildcard ($domaindn)
{
"*DEV" {[string]$pdc=(get-addomain <devdomain>).PDCEmulator}
"*TEST" {[string]$pdc=(get-addomain <testdomain>).PDCEmulator}
"*PROD" {[string]$pdc=(get-addomain <proddomain>).PDCEmulator}
}

#check for the existence of the AD security group, create it if needed
$checkgroup=get-adgroup -server $pdc -filter{name -eq $ggroup}
if ($checkgroup -eq $null)
{
$Description = "Local administration rights to " + $comp
dsadd group $ggroupDN -samid $ggroup -desc $Description -s $pdc -u <user> -p <password>
start-sleep -seconds 15
}

# Add AD group to local administrators on the server

#check if this is the prod domain, if not then create the domain local groups
#if prod then add <server admins> group to local administrators
if($domaindn -ne "<prod domain DN>")
{
$checkgroup=get-adgroup -server $pdc -filter {(name -eq $dlgroup)}
if ($checkgroup -eq $null)
{
$Description = "Local administration rights to " + $comp + " for Prod Domain"
dsadd group $dlgroupDN -samid $dlgroup -scope l -desc $Description -s $pdc -u <user name> -p <Password>
start-sleep -seconds 15
}

}
else
{

}

[Iroqouiz]

Are you running the script in the TS as a user who has modify access to the AD? Otherwise the step is run as the System account on the local machine.

[alexferrie]

Hi, the script is run as a user with domain admin rights, but username and password are explicitly provided for the dsadd commands.