Forum Discussion

Najwan975's avatar
Najwan975
Copper Contributor
Nov 08, 2023

Disjoin and join windows machines remotely

Hello there,

 

I have a task to disjoin hunderds of windows machines from domain A and to join them to domain B.

 

i prepared a powershel script it disjoining the machine from domain A but fails to restart the machine and abort i am pasting the script below and i hope that someone can help.

the localcredential Variable is already a local admin and member of administrators

the  SourceCredential variable is a domain amdin:

$SrcDomain = "AA"
$DstDomain = "BB"
$DstDomainIP = "IP"
$SrcPassword = ConvertTo-SecureString "XXX" -AsPlainText -Force
$SrcCredential = New-Object System.Management.Automation.PSCredential ("$SrcDomain\administrator", $SrcPassword)
$DstPassword = ConvertTo-SecureString "XX" -AsPlainText -Force
$DstCredential = New-Object System.Management.Automation.PSCredential ("$DstDomain\administrator", $DstPassword)
$localpassword = ConvertTo-SecureString "XX" -AsPlainText -Force
$localcredential = New-Object System.Management.Automation.PSCredential ("lab", $localpassword)
$logFile = "C:\DD\Output.log"
$timestamp = (Get-Date).toString("yyyy/MM/dd HH:mm:ss")

 

C:\TEMP\PSEXEC\PsExec.exe \\$log -h -s powershell.exe "Enable-PSRemoting -Force"
start-sleep -s 15
C:\TEMP\PSEXEC\PsExec.exe \\$log -h -s powershell.exe "Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1 -Type DWord"

Remove-Computer -ComputerName $log -LocalCredential $localcredential -UnjoinDomainCredential $SrcCredential -WorkgroupName 'Workgroup' -Verbose -PassThru -Restart -Force

 

Start-Sleep -s 120

Add-Computer -ComputerName $log -LocalCredential $localcredential -DomainName $DstDomain -Credential $DstCredential -PassThru -Verbose -Restart -Force

------------------------------

Below is the error:

 

Remove-Computer : Failed to restart the computer 10.30.233.158 with the following error message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
At line:1 char:1
+ Remove-Computer -ComputerName $log -LocalCredential $localcredential ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (10.30.233.158:String) [Remove-Computer], InvalidOperationException
+ FullyQualifiedErrorId : RestartcomputerFailed,Microsoft.PowerShell.Commands.RemoveComputerCommand

 

 

 

 

  • Sasha3245g's avatar
    Sasha3245g
    Copper Contributor

    Najwan975 Instead of relying on the -Restart parameter of Remove-Computer, you can use the Restart-Computer cmdlet separately after the removal process. This might help in avoiding issues related to instagram pro ios the -Restart parameter.

  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor

    Hi Najwan975,

    the "Access is denied" error when attempting to restart the computer remotely can be caused by a number of factors.

    The account in use to execute the script might lack the required permissions to restart the computer. Ensure the account holds administrative rights on the remote computer.

    The firewall on the remote computer might be blocking the request. Temporarily disable the firewall to verify if this resolves the issue.

    The remote settings on the computer might not be configured to permit remote restarts. Check this in the System Properties of the remote computer.

    The registry entry "LocalAccountTokenFilterPolicy" dictates how local accounts are recognized during network logons. If set to 1, network logons like those used by the "Remove-Computer" cmdlet with a local account are authorized. If the value doesn't exist or is set to 0, network logons using local accounts are prohibited. Your script already sets this value to 1, but double-check it's correct.

    As an alternative, use the "Enter-PSSession" cmdlet to establish a remote session with the computer and execute the commands there. Here's an example:

     

    $Session = New-PSSession -ComputerName targetcomputer.domain.local -credentials domain\\username
    Invoke-Command -Session $Session -ScriptBlock { 
        Remove-Computer -ComputerName "Computer01" -UnjoinDomaincredential "Domain01\\Admin01" -PassThru -Verbose -Restart 
    }
    $Session = New-PSSession -ComputerName targetcomputer.domain.local -credentials domain\\username
    Invoke-Command -Session $Session -ScriptBlock { 
        Add-Computer -ComputerName "Computer01" -LocalCredential "Computer01\\Administrator" -DomainName "Domain01" -Credential "Domain01\\Admin01" -Force -Verbose -Restart 
    }

     

     

    This script establishes a remote session with the target computer and runs the "Remove-Computer" and "Add-Computer" cmdlets within that session.

    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

Resources