script to disjoing/rejoin domain

IS it possible to have a script to disjoin and rejoin domain with an
encrypted password so that a user with low privileges can run it?

 

Hello joey,

By default a normal user can join 10 machines to a domain. What he can't
do is using an existing computer name. To remove a computer form the domain
you need a local admin account to bring the computer to a workgroup.

But why should a normal user do this tasks?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> IS it possible to have a script to disjoin and rejoin domain with an
> encrypted password so that a user with low privileges can run it?
>

 

we keep getting machines falling off domain. WE need normal user to be able
to take it to workgroup and then rejoin domain for now without calling
administrators
"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66207c78cb908e17b1dc1c@msnews.microsoft.com...
> Hello joey,
>
> By default a normal user can join 10 machines to a domain. What he can't
> do is using an existing computer name. To remove a computer form the
> domain you need a local admin account to bring the computer to a
> workgroup.
>
> But why should a normal user do this tasks?
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> IS it possible to have a script to disjoin and rejoin domain with an
>> encrypted password so that a user with low privileges can run it?
>>
>
>

 

Joey wrote:
> we keep getting machines falling off domain. WE need normal user to
> be able to take it to workgroup and then rejoin domain for now
> without calling administrators

Machines shouldn't just be 'falling off the domain' without reason. Probably
want to find and fix the cause rather than apply band-aids by circumventing
the join / disjoin methods.

> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb66207c78cb908e17b1dc1c@msnews.microsoft.com...
>> Hello joey,
>>
>> By default a normal user can join 10 machines to a domain. What he
>> can't do is using an existing computer name. To remove a computer
>> form the domain you need a local admin account to bring the computer
>> to a workgroup.
>>
>> But why should a normal user do this tasks?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> IS it possible to have a script to disjoin and rejoin domain with an
>>> encrypted password so that a user with low privileges can run it?

--
/kj

 

"Joey" <joey@joey.com> wrote in message
news:elnXPBqwJHA.1300@TK2MSFTNGP05.phx.gbl...
> we keep getting machines falling off domain. WE need normal user to be
> able to take it to workgroup and then rejoin domain for now without
> calling administrators

Please elaborate using technical terms exactly what "falling off the domain"
means.

Are there any issues with AD? Please post an ipconfig /all from one of your
DCs, and from a workstation, as well as any Event Log EventID errors that
exist on the DC and/or clients.

This info will help us diagnose any issues with AD.

Thanks,

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

 

Hello joey,

As kj and Ace stated, a domain computer does not just fall out of the domain.
Plesae clarify this with error messages and what exactly happens.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> we keep getting machines falling off domain. WE need normal user to be
> able
> to take it to workgroup and then rejoin domain for now without calling
> administrators
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb66207c78cb908e17b1dc1c@msnews.microsoft.com...
>> Hello joey,
>>
>> By default a normal user can join 10 machines to a domain. What he
>> can't do is using an existing computer name. To remove a computer
>> form the domain you need a local admin account to bring the computer
>> to a workgroup.
>>
>> But why should a normal user do this tasks?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> IS it possible to have a script to disjoin and rejoin domain with an
>>> encrypted password so that a user with low privileges can run it?
>>>

 

What you need to do is resolve the problem!! Your computers & domain are
trying to tell you something. There is a problem that needs to be fixed.

Do the event logs on the client or the DCs tell you anything?

--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services
http://mypcassistant.blogspot.com/

Joey wrote:
> we keep getting machines falling off domain. WE need normal user to be able
> to take it to workgroup and then rejoin domain for now without calling
> administrators
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb66207c78cb908e17b1dc1c@msnews.microsoft.com...
>> Hello joey,
>>
>> By default a normal user can join 10 machines to a domain. What he can't
>> do is using an existing computer name. To remove a computer form the
>> domain you need a local admin account to bring the computer to a
>> workgroup.
>>
>> But why should a normal user do this tasks?
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> IS it possible to have a script to disjoin and rejoin domain with an
>>> encrypted password so that a user with low privileges can run it?
>>>
>>
>
>


--

Regards,
Hank Arnold
Microsoft MVP
Windows Server - Directory Services
http://mypcassistant.blogspot.com/

 

machines are getting trust relationship has failed. User cannot log in. Have
to take it out of domain and then rejoin
"Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
wrote in message news:uNXfG1qwJHA.4980@TK2MSFTNGP02.phx.gbl...
> "Joey" <joey@joey.com> wrote in message
> news:elnXPBqwJHA.1300@TK2MSFTNGP05.phx.gbl...
>> we keep getting machines falling off domain. WE need normal user to be
>> able to take it to workgroup and then rejoin domain for now without
>> calling administrators
>
> Please elaborate using technical terms exactly what "falling off the
> domain" means.
>
> Are there any issues with AD? Please post an ipconfig /all from one of
> your DCs, and from a workstation, as well as any Event Log EventID errors
> that exist on the DC and/or clients.
>
> This info will help us diagnose any issues with AD.
>
> Thanks,
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>

 

"Joey" <joey@joey.com> wrote in message
news:O75Vtm1xJHA.4012@TK2MSFTNGP03.phx.gbl...
> machines are getting trust relationship has failed. User cannot log in.
> Have to take it out of domain and then rejoin


Would you like assistance to fix this problem? I think it would be
beneficial to find out why this is occuring instead of putting a big bandaid
on it.

If you would like assistance, please post the info I requested in my
previous post.

Ace

 

Hello joey,

You have to find the source of the problem and not play around with unnecessary
solutions. If a machine is joined to a domain it stays connected about years.
Mine's are running since i started 2002.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> machines are getting trust relationship has failed. User cannot log
> in. Have
> to take it out of domain and then rejoin
> "Ace Fekay [Microsoft Certified Trainer]"
> <aceman@mvps.RemoveThisPart.org>
> wrote in message news:uNXfG1qwJHA.4980@TK2MSFTNGP02.phx.gbl...
>> "Joey" <joey@joey.com> wrote in message
>> news:elnXPBqwJHA.1300@TK2MSFTNGP05.phx.gbl...
>>
>>> we keep getting machines falling off domain. WE need normal user to
>>> be able to take it to workgroup and then rejoin domain for now
>>> without calling administrators
>>>
>> Please elaborate using technical terms exactly what "falling off the
>> domain" means.
>>
>> Are there any issues with AD? Please post an ipconfig /all from one
>> of your DCs, and from a workstation, as well as any Event Log EventID
>> errors that exist on the DC and/or clients.
>>
>> This info will help us diagnose any issues with AD.
>>
>> Thanks,
>>
>> -- Ace
>>
>> This posting is provided "AS-IS" with no warranties or guarantees and
>> confers no rights.
>>
>> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
>> Microsoft Certified Trainer
>> aceman@mvps.RemoveThisPart.org
>> For urgent issues, you may want to contact Microsoft PSS directly.
>> Please check http://support.microsoft.com for regional support phone
>> numbers.
>>

 

these are virtual machines "natted" through the host pc to get to the
domain. But they are just falling off. I have no idea why
"Hank Arnold (MVP)" <rasilon@aol.com> wrote in message
news:O2gy58MxJHA.5244@TK2MSFTNGP06.phx.gbl...
> What you need to do is resolve the problem!! Your computers & domain are
> trying to tell you something. There is a problem that needs to be fixed.
>
> Do the event logs on the client or the DCs tell you anything?
>
> --
>
> Regards,
> Hank Arnold
> Microsoft MVP
> Windows Server - Directory Services
> http://mypcassistant.blogspot.com/
>
> Joey wrote:
>> we keep getting machines falling off domain. WE need normal user to be
>> able to take it to workgroup and then rejoin domain for now without
>> calling administrators
>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>> news:ff16fb66207c78cb908e17b1dc1c@msnews.microsoft.com...
>>> Hello joey,
>>>
>>> By default a normal user can join 10 machines to a domain. What he can't
>>> do is using an existing computer name. To remove a computer form the
>>> domain you need a local admin account to bring the computer to a
>>> workgroup.
>>>
>>> But why should a normal user do this tasks?
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>
>>>> IS it possible to have a script to disjoin and rejoin domain with an
>>>> encrypted password so that a user with low privileges can run it?
>>>>
>>>
>>
>>
>
>
> --
>
> Regards,
> Hank Arnold
> Microsoft MVP
> Windows Server - Directory Services
> http://mypcassistant.blogspot.com/

 

Hello joey,

Again, please post the requested infos.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> these are virtual machines "natted" through the host pc to get to the
> domain. But they are just falling off. I have no idea why
> "Hank Arnold (MVP)" <rasilon@aol.com> wrote in message
> news:O2gy58MxJHA.5244@TK2MSFTNGP06.phx.gbl...
>> What you need to do is resolve the problem!! Your computers & domain
>> are trying to tell you something. There is a problem that needs to be
>> fixed.
>>
>> Do the event logs on the client or the DCs tell you anything?
>>
>> --
>>
>> Regards,
>> Hank Arnold
>> Microsoft MVP
>> Windows Server - Directory Services
>> http://mypcassistant.blogspot.com/
>> Joey wrote:
>>
>>> we keep getting machines falling off domain. WE need normal user to
>>> be
>>> able to take it to workgroup and then rejoin domain for now without
>>> calling administrators
>>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>>> news:ff16fb66207c78cb908e17b1dc1c@msnews.microsoft.com...
>>>> Hello joey,
>>>>
>>>> By default a normal user can join 10 machines to a domain. What he
>>>> can't do is using an existing computer name. To remove a computer
>>>> form the domain you need a local admin account to bring the
>>>> computer to a workgroup.
>>>>
>>>> But why should a normal user do this tasks?
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> IS it possible to have a script to disjoin and rejoin domain with
>>>>> an encrypted password so that a user with low privileges can run
>>>>> it?
>>>>>
>> --
>>
>> Regards,
>> Hank Arnold
>> Microsoft MVP
>> Windows Server - Directory Services
>> http://mypcassistant.blogspot.com/

 

"Joey" <joey@joey.com> wrote in message news:%23$oT$DCyJHA.4272@TK2MSFTNGP06.phx.gbl...
> these are virtual machines "natted" through the host pc to get to the
> domain. But they are just falling off. I have no idea why


Domain communication traffic through a NAT is not supported, unless VPN is used between the NAT subnet and the main or outside (not internet) subnet. Thsi is because NAT does not support Kerberos, RPC or LDAP traffice.

The information you've provided in your thread is not enough to diagnose this issue. This is similar to visiting a doctor. You say it hurts. What hurts? We need blood work, blood pressure readings, etc (you catch the drift). In order to properly diagnose the issue, we do actually need configuration information, and the info that I previously asked for is paramount in a diagnosis or at least a good start. The info about the NAT setup is not a good sign, because of it's limited ability to traverse domain traffic, but there may be something I am not seeing, because of the limited info you've provided.

Can you describe this setup in more detail, including a logical (non-image) diagram including subnet IP ranges, what DNS address they are using, etc? Additional info:

Unedited ipconfig /all from a DC, from a working client and from the virtual client.
Event log errors, if any, from the DC, a working client and from the virtual client.

If you can't supply this information due to security or other reasons, I can understand. If this is the case, remove the NAT between the VMs and the main subnet, route them directly through, or make them part of the same subnet, and report back if it still occurs.

And as Meinolf mentioned, I also have customers with machines joined to their domain for a number of years, and this has never happened to me nor have I ever seen this issue before. That is why we believe it is a infrastructure DNS design/resolution issue, or something simple, such as trying to communicate through a NAT. The NAT seems to be a major reason sticking out right now.

Ace

 

Hello Ace Fekay [Microsoft Certified Trainer],

I think with "natted" he means the VM's ip address uses the physical host
NIC.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> "Joey" <joey@joey.com> wrote in message
> news:%23$oT$DCyJHA.4272@TK2MSFTNGP06.phx.gbl...
>
>> these are virtual machines "natted" through the host pc to get to the
>> domain. But they are just falling off. I have no idea why
>>
> Domain communication traffic through a NAT is not supported, unless
> VPN is used between the NAT subnet and the main or outside (not
> internet) subnet. Thsi is because NAT does not support Kerberos, RPC
> or LDAP traffice.
>
> The information you've provided in your thread is not enough to
> diagnose this issue. This is similar to visiting a doctor. You say it
> hurts. What hurts? We need blood work, blood pressure readings, etc
> (you catch the drift). In order to properly diagnose the issue, we do
> actually need configuration information, and the info that I
> previously asked for is paramount in a diagnosis or at least a good
> start. The info about the NAT setup is not a good sign, because of
> it's limited ability to traverse domain traffic, but there may be
> something I am not seeing, because of the limited info you've
> provided.
>
> Can you describe this setup in more detail, including a logical
> (non-image) diagram including subnet IP ranges, what DNS address they
> are using, etc? Additional info:
>
> Unedited ipconfig /all from a DC, from a working client and from the
> virtual client. Event log errors, if any, from the DC, a working
> client and from the virtual client.
>
> If you can't supply this information due to security or other reasons,
> I can understand. If this is the case, remove the NAT between the VMs
> and the main subnet, route them directly through, or make them part of
> the same subnet, and report back if it still occurs.
>
> And as Meinolf mentioned, I also have customers with machines joined
> to their domain for a number of years, and this has never happened to
> me nor have I ever seen this issue before. That is why we believe it
> is a infrastructure DNS design/resolution issue, or something simple,
> such as trying to communicate through a NAT. The NAT seems to be a
> major reason sticking out right now.
>
> Ace
>

 

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message news:ff16fb66212e78cb966ef24dd401@msnews.microsoft.com...
> Hello Ace Fekay [Microsoft Certified Trainer],
>
> I think with "natted" he means the VM's ip address uses the physical host
> NIC.
>

If that is the case, then multiple VMs are using the same IP? Is that what that means?

Ace

 

Do the VMs use the same sids as well?

Rich W.

Ace Fekay [Microsoft Certified Trainer] wrote:
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message news:ff16fb66212e78cb966ef24dd401@msnews.microsoft.com...
>> Hello Ace Fekay [Microsoft Certified Trainer],
>>
>> I think with "natted" he means the VM's ip address uses the physical host
>> NIC.
>>
>
> If that is the case, then multiple VMs are using the same IP? Is that what that means?
>
> Ace
>
>

 

I dont believe so. They were joined to domain individually. should have
unique sid
"Rich Wonneberger" <turtil@frontiernet.net> wrote in message
news:uZk1OpFyJHA.1416@TK2MSFTNGP04.phx.gbl...
> Do the VMs use the same sids as well?
>
> Rich W.
>
> Ace Fekay [Microsoft Certified Trainer] wrote:
>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>> news:ff16fb66212e78cb966ef24dd401@msnews.microsoft.com...
>>> Hello Ace Fekay [Microsoft Certified Trainer],
>>>
>>> I think with "natted" he means the VM's ip address uses the physical
>>> host NIC.
>>>
>>
>> If that is the case, then multiple VMs are using the same IP? Is that
>> what that means?
>>
>> Ace
>>

 

the ip of the vm is different from host ip. different subnet, etc...
"Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
wrote in message news:%23cTf0uEyJHA.1712@TK2MSFTNGP03.phx.gbl...
"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66212e78cb966ef24dd401@msnews.microsoft.com...
> Hello Ace Fekay [Microsoft Certified Trainer],
>
> I think with "natted" he means the VM's ip address uses the physical host
> NIC.
>

If that is the case, then multiple VMs are using the same IP? Is that what
that means?

Ace

 

yes it is using the physical host nic but has a separate ip address
"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66212e78cb966ef24dd401@msnews.microsoft.com...
> Hello Ace Fekay [Microsoft Certified Trainer],
>
> I think with "natted" he means the VM's ip address uses the physical host
> NIC.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> "Joey" <joey@joey.com> wrote in message
>> news:%23$oT$DCyJHA.4272@TK2MSFTNGP06.phx.gbl...
>>
>>> these are virtual machines "natted" through the host pc to get to the
>>> domain. But they are just falling off. I have no idea why
>>>
>> Domain communication traffic through a NAT is not supported, unless
>> VPN is used between the NAT subnet and the main or outside (not
>> internet) subnet. Thsi is because NAT does not support Kerberos, RPC
>> or LDAP traffice.
>>
>> The information you've provided in your thread is not enough to
>> diagnose this issue. This is similar to visiting a doctor. You say it
>> hurts. What hurts? We need blood work, blood pressure readings, etc
>> (you catch the drift). In order to properly diagnose the issue, we do
>> actually need configuration information, and the info that I
>> previously asked for is paramount in a diagnosis or at least a good
>> start. The info about the NAT setup is not a good sign, because of
>> it's limited ability to traverse domain traffic, but there may be
>> something I am not seeing, because of the limited info you've
>> provided.
>>
>> Can you describe this setup in more detail, including a logical
>> (non-image) diagram including subnet IP ranges, what DNS address they
>> are using, etc? Additional info:
>>
>> Unedited ipconfig /all from a DC, from a working client and from the
>> virtual client. Event log errors, if any, from the DC, a working
>> client and from the virtual client.
>>
>> If you can't supply this information due to security or other reasons,
>> I can understand. If this is the case, remove the NAT between the VMs
>> and the main subnet, route them directly through, or make them part of
>> the same subnet, and report back if it still occurs.
>>
>> And as Meinolf mentioned, I also have customers with machines joined
>> to their domain for a number of years, and this has never happened to
>> me nor have I ever seen this issue before. That is why we believe it
>> is a infrastructure DNS design/resolution issue, or something simple,
>> such as trying to communicate through a NAT. The NAT seems to be a
>> major reason sticking out right now.
>>
>> Ace
>>
>
>

 

"joey" <joe@abc.com> wrote in message
news:%23O%23d2WdyJHA.4136@TK2MSFTNGP05.phx.gbl...
>I dont believe so. They were joined to domain individually. should have
>unique sid

I beleive what Rich was asking if you may have copied one of the VMs to
create additional VMs or Ghosted the VM to create additional VMs without
using Sysprep or you didn't install each OS in each VM from scratch.

If you did copy or Ghost, or used any other imaging tool, each OS in the VMs
would have identical SIDs. It wouldn't matter if you joined them
individually or have given them idividual IPs. Machines with identical SIDS,
no matter if they have different names, IPs, etc, will not join after
joining the first one.

Ace