PowerShell: Join Domain Users to Any Specific OU



I have been exploring ways to automate domain joining so that end-users can perform the process themselves without requiring specialized knowledge. Although I found several scripts online that accomplish this, none of them seem to be a comprehensive, all-in-one solution. Additionally, I want to avoid the practice of storing usernames and passwords in text files distributed to each user. Therefore, I decided to create a complete script to enable automatic domain joining for users.

Here’s what this script will accomplish:

  1. DNS Server Reachability Check: It will test if the DNS server is reachable. If successful, it will update the user’s DNS settings to point to the Domain Controller.
  2. Secure Credentials Input: Instead of hardcoding credentials into the script, it will prompt users to enter their username and password during the domain join process.
  3. Custom OU Selection: Users will have the option to select their preferred Organizational Unit (OU) for the domain join process. This eliminates the need for the administrator to manually move computer objects to specific OUs after the domain join—a feature I’m particularly excited about and the main reason I created this script! 😊

Here are things you need to do:

1. Change the Variables in the Script

Here is the description of the variables:

$DNS1 – First DNS server IP Address to set to NIC
$DNS2 – Second DNS server IP Address to set to NIC
$oulist – Array of the OU that will be prompted to users. After domain join, machine account will be created under this OU according to the user selection. All of these OUs need to be under the same parent OU. Eg: ‘HR OU’,’Admin OU’
$baseOU – The Parent OU distinguished name where all OUs defined in $oulist are located. Eg: dc=test,dc=local
$DomainName – Domain name of the Active Directory

2. OU Delegation to Users

Delegate the OUs to create computer objects for domain users so that they themselves can join to the domain. (This is the one that took my most time troubleshooting the access denied error.)
I would recommend creating the new security group, delegate the permission to that group and put the domain users into the group. Because it’s safer to delete (rather than revoke delegation permission) that security group after all users are joined to domain.

3. Powershell Execution Policy

Some Clients may need to enable powershell script execution policy to remotesigned, so that powershell scripts can execute. You can do it by another batch script that call the powershell script.

Delegation OU Permissions

Only the the Admin and Account Operator roles have permissions to create computer & users objects in any OU. We need some little right for users to perform themselves. But granting Account Operator roles to every domain users is a the one we should never do. So, I will give only necessary permissions.

Step1:
From Active Directory Users and Computers, Choose the parent OU you want to delegate.

Fig-1:Permission Delegation for specific OU

Step2:
Delegate the security group to create computer objects in Active Directory.

OU Delegation
Fig-2: Add OU delegation to specific security group

Step3:
On the next page, choose Create a custom task to delegate.

Step4:
Choose Computer Objects and check the “Create selected objects in this folder” as shown in Fig-3.

Fig-3: Choose resources for OU delegation

Step 5:
Customize the permission Here I select the Write and Create all child objects. Others default.

Add custom permission for OUO delegation
Fig-4: Add custom permission for delegation

So far, we finished about delegating permission. Now, the client can run the script on his computer. See Fig-5.

Domain Join Powershell Script
Fig-5: Demo of running the script

Leave a Reply

Your email address will not be published. Required fields are marked *