Home / server / Questions / 692929
In Process
EliadTech
Asked: 2015-05-19 23:05:15 +0800 CST

Run a script when joining a domain

  • 772

I have a Microsoft domain (mostly 2008r2\7).
I looking for a way to run a script immediately after (the restart after) joining a domain (without requiring user login), and so far I've failed.

Also, I want it to run only once, so scheduling a repeated task is not an option.
It just seem to me a waste to let it run over and over again.

I've tried a GPO with startup script, but when the computer receives the GPO it's way after the startup.
I've also tried a GPO with a scheduled task (with different triggers), but they didn't work too:
"At startup" trigger fails same as the startup script.
"At Task creation" fails, I guess because it's not created the usual way.
"At schedule" is irrelevant, because I need it to run right after joining (and setting a date that had already passed didn't work).
Couldn't find any relevant registry keys, but I assume they would have the same problem as the GPO startup script.

The only idea that might do what I need is attaching a task to the relevant event on the DCs, and run the script remotely.

Any better suggestions?

--Edit--
By the answers (which are great, but doesn't quite cut it), I have a few points to add:
1. The question applies to both servers (2008r2\2012\2012r2), though I've tested only on 2012r2.
2. I'm looking for a more runonce-like solution, meaning I don't want it to run endlessly until some condition is fulfilled.
3. We use images to deploy servers and workstations, but I can't use a solution that involves editing them because a) That would require me to update them each time I need to change something in my script b) BYODs.
4. We don't use a joining script (we simply don't need one...), so starting to use one seem to me a waste. Also, there are a few problem with it (e.g. where should I put it? in the image? in a shared location? what with BYODs? that would defeat point 3).

Thanks.

windows

4 Answers

  1. Add a custom registry key to your build image, just a simple '1' value somewhere.
    Add a scheduled task that checks for the registry key value to the build image, add checks for your domain name in this registry key

    HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

    If it finds both run your script, then change the custom registry key to 0 on complete. Have this task run at startup.

    You can either then leave this task in place as is, or have a gpo that deletes the scheduled task. However if you leave it in place and you ever need to rerun the script you can just change the registry key back to 1 and reboot.

    Slight security concern is the scheduled task will need to run as a local administrator account.

    • 1

  2. Don't you need to reboot after joining the domain anyway? If you created a startup script, it would apply right after that reboot, when it loads the other group policy objects.

    How are you joining the domain now? You could also integrate joining the domain into your script. With Powershell this is done with Add-Computer, from the command-line you can use netdom.

    Usually you would integrate this into your task sequence, if you are using a configuration management tool.

    • 0

  3. How is the join being performed? Manual GUI interaction or via a script? If a script, add a line to the join script to have your 2nd script run via the RunOnce registry key.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce https://msdn.microsoft.com/en-us/library/windows/desktop/aa376977%28v=vs.85%29.aspx

    ---BEGIN EDIT---
    Doh! Right

    Thinking about your comment on the GPO apply being delayed... I work primarily on Server OS which does Synchronous GPO processing. Workstations do async. Try this to get async:

    In your build process/image try disabling "Fast Logon Optimization" https://technet.microsoft.com/en-us/magazine/gg486839.aspx
    Computer Configuration\Administrative Templates\System\Logon
    Always wait for the network at computer startup and logon = Enabled

    Create a GPO Startup Script GPO:
    Computer Config/Policies/Windows Settings/Scripts/Startup

    Inside of the script you define there, use this code:

    $built = gwmi Win32_OperatingSystem | foreach {[System.Management.ManagementDateTimeconverter]::ToDateTime($_.InstallDate)}
if ($built -gt (get-date).addHours(-4)) {
    "do something"
}
    • 0

  4. I used to work in schools.

    And we automate the join and scripting process (Having a perfect image to deploy that last over years maybe utopic). So we used WDS/MDT to depoy.

    We filled the .xml answer file, so our multicast images deployed are join in an OU (Organisational Unit) Install and we applied GPO for final scripting and move out of the OU Install.

    That way we only have to rename the workstation with the right name, place in the right OU.

    • 0