I am installing a new VM lab, few windows 2016 servers and AD forest. Part of the lab is installing a DC in the new forest. I have no issue with the feature installation and promotion.
My problem - I want to create directory users immediately after creating the DC
I need to reboot the server to add AD users.. So i am trying to use powershell to schedule a task or a job to start on next startup with a script to create the relevant user, i understand "RunOnce" is considered an older option so I didn't consider it.
I have no issues with the powershell commands, but with the user that should run the task job. Or maybe i just didn't use the commands correctly, but logically.. The task i am trying to register cannot use localsystem as it won't do, it actually registers successfully including "run as admin" and it is configured to run "whether user is logged in or not", but after boot that job and task (tried both) didn't do anything probably due to lack of permission to add users to the directory.
I tried running the scheduled task with my user but when it is still set to run as local system, in a weird way it worked, probably impersonation or something i don't know.
If I will try to use the local user, it will disappear right after promotion and I cannot use the domain admin that is configured with the promotion because registering job or tasks tries to validate the user credentials are actually right and that is run before the promotion, i also tried to run afterwards, it doesnt work. if i run the same script myself after startup that works.
I was hoping somebody would share his insights.. I literally tried many options..
edit i think i will try to schedule a task to run with localsystem but let it run a script that invokes a command with the necessary privileges, i think that is the only way, any other use won't do.. i am currently debugging without a reboot after forest creation, using psexec i login with local system and try to create the schedule task, it doesn't allow the local admin nor the domain admin credentials. when i tried to run a runas command to open cmd, it did accept it, but it took it a long while, like a minute, the other tries were quick.. weird.. maybe results of doing dcpromo
If you use MDT you should be able to create users pot forest creation so long as you put the new forest admin creds in that part of the task sequence.