In Part-2, we have signed the script with user1’s certificate. There are some manual works such as adding user1 certificate to trusted publisher group. Let us see how can we automate this process by using GPO.
This is a lengthy post of how to digitally sign your powershell script, so I divide it up to 4 sections. Digitally signing of powershell script, for the security purpose, is particularly useful to prevent the execution of malicious scripts on servers or workstations in your domain environment. Today, I will show you how to sign your powershell scripts from Microsoft CA and use GPO to control the execution of unsigned scripts in domain environment. Continue reading “How to Digitally Sign the Powershell Scripts with Microsoft CA in Domain – A step-by-step Guide – Part 1”
I have been looking for ways for automatic domain join so that the end-users can do by themselves without special knowledge. There are serveral scripts I found on google that make it work, but none of them seems to be an all-in-one solution.Moreover, I don’t want to do usernames/password put in text files that are delivered to each user. So, I decided to make a complete script for automatic-domain-join of users.
What this script will do: 1) Test the DNS Server is reacheable and if OK, change the users’ DNS setting to point to Domain Controller. 2) Prompt for username/password to join to domain, no need to put username/pass with the script file. 3) Users can choose their own OU for their domain-join-process, so Admin doesn’t need to move thier computer objects to specific OU after domain join. ( the one I liked most & the reason why I wrote this script xP ).
Things you need to do: 1) Modify the Admin section of the script to your needs
2) Delegate All OUs to create computer objects for domain users so that they themselves can join to the domain. (This is the one that took my most time troubleshooting the access denied error.) I would recommend to create the new security group, delegate the permission to that group and put the domain users into the group. Because it’s more safer to delete (rather than revoke delegation permission) that security group after all users are joined to domain.
3) Some Clients may need to enable powershell script execution policy to remotesigned, so that powershell scripts can execute. You can do it by another batch script that call the powershell script ,,, etc… etc..
1) Delegating OU Permission Only the the Admin and Account Operator roles have permissions to create computer & users objects in any OU. We need some little right for users to perform themselves. But granting Account Operator roles to every domain users is a the one we should never do. So, I will give only necessary permissions.
Step1: From Active Directory Users and Computers, Choose the parent OU you want to delegate.
Fig-1:Permission Delegation for specific OU
Step2: Delegate the security group to create computer objects in Active Directory.
Fig-2: Add OU delegation to specific security group
Step3: On the next page, choose Create a custom task to delegate.
Step4: Choose Computer Objects and check the “Create selected objects in this folder” as shown in Fig-3.
Fig-3: Choose resources for OU delegation
Step 5: Customize the permission Here I select the Write and Create all child objects. Others default.
Fig-4: Add custom permission for delegation
So far, we finished about delegating permission. Now, the client can run the script on his computer. See Fig-5.
