Zoho Banner September 2011

Sometimes it’s useful to pre-create computer objects in the correct OU before joining them to the domain.  This way, you know that they will immediately pick up whatever Group Policies have been assigned to the OU.  Of course, you can create the computer objects in AD manually using Active Directory Users and Computers (dsa.msc) or the new Active Directory Administrative Center (dsac).  However, if you’ve got more than a few computer objects to create it might be helpful to have a script.  Here’s a Powershell 1.0 sample:

########################################################## 
# Name: PreSeedComputerObjects.ps1 
# Author: Tony Murray 
# Version: 1.0 
# Date: 12/04/2010 
# Comment: PowerShell 1.0 script to 
# pre-create AD Computer objects from csv file 
# 
#########################################################     

# Set the target OU where the computer objects will be created 
$ComputerOU  = [ADSI]“LDAP://OU=Workstations,DC=contoso,DC=com“     

# Specify the folder and CSV file to use 
$folder = "C:\util\csv" 
Set-Location $folder     

$csv = Import-Csv “import.csv”     

# Parse the CSV file line by line 
foreach($line in $csv) { 
# Assign variables to each attribute 
$ComputerName = $line.ComputerName 
$samname = $ComputerName + "$" 
$Computer = $ComputerOU.create(“Computer”,”cn=$ComputerName”)     

# Populate the minimum set of attributes needed for computer objects 
$Computer.put(“sAMAccountName”,$samname) 
$Computer.put(“userAccountControl”,4128) 
# Commit the changes 
write-host "Adding $ComputerName to target OU" 
$Computer.setinfo() 
# Capture any errors (e.g. object already exists) and move on 
        trap 
            { 
            write-host "Error: $_" 
            continue 
            } 
} 
#End

The format of the CSV file is simply as follows:

ComputerName
<netbios_name_of_computer>

e.g.
ComputerName
wkstn001
wkstn002
wkstn003

The only other point of interest is that we need to define the sAMAccountName and the userAccountControl attributes in the script.  The sAMAccountName is simply the NetBIOS name of the machine with a “$” suffix.  It is also important to specify an appropriate value for userAccountControl – in this case a decimal value of 4128 which corresponds to 0×1020 (hex) or (PASSWD_NOTREQD | WORKSTATION_TRUST_ACCOUNT ).

As always, please let me know if you can think of ways to improve the script.  Yes, that includes you Brandon!

Note: When copying the script from the web site, replace the double-quotes before you try it. WordPress does some funky format changes!

5 Comments

  1. AD Goodies 4/15/2010 - The Experts Community says:

    [...] up new installation of Exchange 2007/2010.I really liked this PowerShell script from Tony Murray on seeding a test AD with computer accounts. Populating a test AD with user accounts is pretty easy and well documented. But don’t forget [...]

  2. Scotty says:

    Hey There,

    Thanks for sharing this example. Yup, pre-creating a computer account is certainly helpful, especially BEFORE joining them to the domain.

    I too occasionally blog on Powershell for Active Directory and would be happy to mention your tip on my blog sometime in the near future.

    Thanks again,
    - Scotty

  3. packettracer says:

    SO.. how about changing the user that can add the computer to the domain? The default is Domain Admins, but lets say you had a specific user account used for adding PC to domain and you needed to specify that user account?

    Thanks!

  4. Sudheep says:

    As packettracer posted, is it possible to add a security group in the ACL list of the computer created as for allowing the member of that group to join the computer to domain, as its restricted the joining to domain to particular members in a security group.

  5. Script to change LDAP attributes says:

    [...] a script here which will create computer objects from a CSV file, and should give you the basic structure to work [...]

Leave a Reply