Script to rename a computer and join a domain after renamed
I'm looking for a vbs script or a batch file that will rename a computer (with user input for 2 fields) in both the description and the actual computer name. The format will always be the same:
Once the computer is renamed, then need it joined to a domain. Joining should require little to no input from the user (the script can hold the credentials).
Ideally, the script would rename, restart, join, restart. If it's only possible to rename/restart and then run a second script for joining/restarting, that's fine too but it would be preferential if this did everything automatically. If at all possible, maybe a message box after each step would be great as well (renaming finishes, message box says "computer renamed to 'comp name'") and the same for the domain.
Also, if the script could delete itself when all is done, that would be even better! :)
I've been searching for the past few days and have been unsuccessful in finding a script that I can modify with my needs and get the results I'm looking for.
Any help would be greatly appreciated.
Automated workstation naming script
I have put a solution in place for this here but it forms part of a broader system of scripts and utilities linked in with WDS to centrally automate computer naming, including other desired activities like on-the-fly encryption during auto-build. I'm going to make a very long post now that details all the components of this, some of which can probably help you. I use Windows batch scripting rather than VBScript. "DOMAINNAME"/"domainname.local", "DomainUser", "DomainPassword" and "ServerName" should be altered to suit your environment. I've turned OFF the WDS option to have workstations automatically joining the domain otherwise it would conflict with this.
Firstly, we need to get the desired computer name when WDS loads, before image selection. To that end, we include a section in the WdsClientUnattend.xml file on the imaging server:
DomainUser is a member of solely the Domain Guests group, but is delegated access to manage our workstations OU tree from the top down. We must create a folder called ComputerNames on the WDS server and share it with the same name, granting DomainUser certain privileges to it (share with "Authenticated Users">"Full Control" only and grant NTFS permissions). DomainUser is denied interactive logon or Remote Desktop logon rights through domain-level Group Policies, and cannot change its own password.
<Description>Get computer name and store it</Description>
This section in the config file calls a "wrapper" batch file (this is needed to stop users from clicking away the password prompt). The file is found in the root of the ComputerNames share and is as follows:
This ties in with some code from the main program, GetName.exe, which was a batch file compiled into an encrypted executable that asks for a password when run (this is to prevent users from randomly re-imaging workstations at will). The tool to compile the batch file in this way is here:
start /b /w \\ServerName\computernames\getname.exe
if not exist x:\getname.run exit 1
F2KO Software | Bat To Exe Converter
GetName.bat's source code is as follows:
So the wrapper checks for the .run file that indicates the password was successfully entered and the batch code has begun execution (so users can't click the password prompt away). X:\ is the RAM disk mapped by the WDS deployment image. On the back of that, you need to edit the .wim file for your WDS deployment image and add an empty file called DisableCMDRequest.tag to \Windows\Setup\Scripts (if that folder structure doesn't exist, create it). If you don't do that, a malicious user could press Shift+F10 to access a command prompt during this stage of deployment.
echo. > x:\getname.run
for /f "tokens=3 delims== " %%i in ('nbtstat -a %computername% ^| find "MAC"') do set mac=%%i
if exist \\ServerName\computernames\names\%mac%.txt goto :cipher
set /p compname=Please enter the workstation name:
if not %compname%. == . echo %compname%> \\ServerName\computernames\names\%mac%.txt & goto :cipher
echo You must enter a workstation name. & goto :name
if exist \\ServerName\computernames\names\%mac%_cipher.txt goto :eof
set /p cipher=Please enter a boot password (or press Enter to skip):
if not %cipher%. == . echo %cipher%> \\ServerName\computernames\names\%mac%_cipher.txt
We then identify the workstation's MAC address and check whether it has already been "registered". If it hasn't, we prompt for a name and write that back to the server by creating a .txt file named after the computer's MAC address. This file contains a single line, which is the name we prompted for earlier. These files all live in the Names folder, which is inside the ComputerNames share, to which DomainUser has normal read-and-execute permissions plus "Create files/write data", "Create folders/append data", "Write attributes" and "Write extended attributes". Administrators and SYSTEM have Full Control. No other access is granted. We know from WdsClientUnattend.xml that we are running this command as DomainUser, so the check for existing files and the subsequent write-back will be successful.
So, our structure under ComputerNames is:
Names (folder with special permissions for DomainUser)
GetName.exe (control program)
GNWrapper.bat (wrapper for security)
We also check whether this workstation should auto-encrypt (we only do this for staff laptops but naturally it's the same imaging system). We apply the same principles and check whether a file containing the encryption password exists (which will be MACAddress_cipher.txt). If it doesn't, we prompt again and add this file, unless the input is null in which case we skip that step. Note that only the DomainUser account can access the storage folder so this is reasonably secure although they're stored in plain text. If we ever want to change a pre-registered computer name or encryption password, we search the storage folder with the "file contents" option on, find the right file(s) and either edit or delete them (which only happens very occasionally).
We then proceed with image selection normally and the workstation receives the image and reboots. When it does so, we need to include a script to fetch our information again and apply it, so in the ImageUnattend.xml file for the image, we include this section:
So this will run a script called RenameComputer.bat that we include on the image before we SysPrep it. We must also have installed the drivers and executables for DiskCryptor, which can be found here:
<CommandLine>psexec -accepteula -is cmd /c c:\windows\system32\renamecomputer.bat</CommandLine>
<Description>Set computer name and join domain</Description>
Main Page/en - DiskCryptor wiki
We need PSExec from SysInternals too, which I always include on my images due to its immense usefulness for running programs in the SYSTEM context. Frankly, I can't remember why there's a need to run this script as SYSTEM, but I'm sure there was a reason.
On the first startup after imaging, RenameComputer.bat will then run. It looks like this:
First we delete the locally-cached copy of the Unattend.xml file to make sure no serial numbers, usernames/passwords etc are exposed. We then find our MAC address, connect to the imaging server and look for the .txt file with a matching name, and read that file to determine what our name should be. We carry out the same process with the cipher .txt file, if it exists, to determine whether or not we should encrypt and what the startup password should be if so. We then set the new name, which will not apply until we restart, and carry out full-disk encryption if we need to (this will take considerable time on systems with larger disks so factor that in, while also remembering that we will now need the startup password for each subsequent boot throughout the imaging process, so only use this auto-encryption when you need to). Our final action is to set RunOnce Registry commands for the next reboot to firstly delete the RenameComputer.bat script (as it includes domain credentials), then join the domain with the new name. These Registry entries are removed automatically by Windows once they have been executed, so our DomainUser credentials are not present on the finished build.
for /f "tokens=3 delims== " %%i in ('nbtstat -a %computername% ^| find "MAC"') do set mac=%%i
net use \\ServerName\computernames /u:DOMAINNAME\DomainUser DomainPassword
for /f %%i in (\\ServerName\computernames\names\%mac%.txt) do set newname=%%i
if not exist \\ServerName\computernames\names\%mac%_cipher.txt goto :rename
for /f %%i in (\\ServerName\computernames\names\%mac%_cipher.txt) do set cipher=%%i
echo Renaming computer...
net use \\ServerName\computernames /d
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce /v DeleteRename /d "cmd /c del c:\windows\system32\renamecomputer.bat" > nul
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce /v JoinDomain /d "netdom join %newname% /domain:domainname.local /userd:DomainUser /passwordd:DomainPassword /reboot:0" > nul
if defined cipher dccon -boot -setmbr hd0 > nul
if defined cipher dccon -encrypt pt1 -p %cipher% > nul
netdom renamecomputer %computername% /newname:%newname% /force /reboot:0 > nul
That's pretty much it. Naturally you can remove all encryption-related components of this entirely and it will still work. I've incorporated scripted encryption because it means I don't have to manually install and go through TrueCrypt full-disk encryption on all staff laptops (and I only ever have one or two of those at a time in my office so I can step in with startup passwords as necessary). We never encrypt our desktops around the school, so these are truly automated.
New machine: boot, enter password, provide name, walk away.