Yeah the script is being run on my system as opposed to locally on the new guest system. The guest is reachable by IP address. I am providing a domain administrator account in the $username variable. The reason we've got to join each system to the domain is because we run NewSID. So I've got to login, run NewSID, reboot and join the system to the domain by logging in through console. This gets old after you run NewSID and join 15 servers to the domain.

I tried to make the script a bit more universal, so I made the next function:

function Join-DomainOrWorkGroup {
  param([string] $Computer, [string] $Domain, [string] $DomainPassword, [string] $DomainUsername, [string] $AccountOU, $LocalCredential, [int] $FJoinOptions = 3)

  $ComputerSystem = Get-WmiObject Win32_ComputerSystem -ComputerName $Computer -Credential $LocalCredential
  $ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domainusername,$FJoinOptions)
}

If I run it like this:

$LocalCredential = Get-Credential
Join-DomainOrWorkGroup -Computer MyComputer -Domain Mydomain -DomainPassword Mypassword -DomainUsername Myaccount -AccountOU MyOU -LocalCredential $LocalCredential -FJoinOptions 3

I get the next error (in Dutch):

Exception calling "JoinDomainOrWorkgroup" : "De clientverbinding met WINMGMT moet voor deze bewerking worden versleuteld.
Pas de instellingen voor de IWbemServices-proxy aan en probeer het opnieuw. "
At line:4 char:40
+   $ComputerSystem.JoinDomainOrWorkGroup <<<< ($Domain,$DomainPassword,$Domainusername,$FJoinOptions)
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : WMIMethodException

In English this will be something like (translation by Google translate):

Exception calling JoinDomainOrWorkgroup ":" The client connects to winmgmt this operation must be encrypted.Adjust the IWbemServices proxy and try again. "
At line: 4 char: 40
+ $ ComputerSystem.JoinDomainOrWorkGroup <<<<($ Domain, $ Password Domain, Domain $ Username, $ FJoinOptions)
    + Category Info: NotSpecified: (:) [] MethodInvocationException
    + FullyQualifiedErrorId: WMIMethodException

I don't know how to get rid of this error. But if someone does, then I think we haved solved this question.

Regards, Robert

I use the procedure given in the Join Domain securely post.

It uses an external file to store the securestring account/password.

Then it uses the JoinDomainOrWorkGroup method to perform the actual join.

Note that you need to have the authentication level set to RPC_C_AUTHN_LEVEL_PKT_PRIVACY when passing the username and password as parameters to avoid the WBEM_E_ENCRYPTED_CONNECTION_REQUIRED error.

This means that you need to use the -Authentication and -Impersonation parameter like this

...
$ComputerSystem = gwmi Win32_ComputerSystem -ComputerName 10.2.4.205 -Credential localadminusername -Authentication 6 -Impersonation Impersonate
...

____________

Blog: LucD notes

Twitter: lucd22

LucD would you mind posting the script that you use and how you call it?

I will try to rebuild the scrpit you guys have posted for my situation and see how it goes. I'll let you know.

Here's what I've done:

function Join-DomainOrWorkGroup {

$username = "localusername"

$Domain = "domain"

$DomainPassword = "password"

$Domainusername = "username"

$FJoinOptions = "3"

$ComputerSystem = gwmi Win32_ComputerSystem -ComputerName 10.2.4.207 -Credential $username -Authentication 6 -Impersonation Impersonate

$ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domainusername,$FJoinOptions)

}

Join-DomainOrWorkGroup

I've logged into the console and noticed that the system is now joined to the workgroup named $domain. If my domain was test.com the workgroup is test.com. It's not actually joining the domain. Why would that be?

Try

$fJoinOptions = 3

instead of

$fJoinOptions = "3"

The join options parameter should be integer, not string

I changed it to an integer and also logged into the system and changed the workgroup to something else. I re-ran the script and it joined the workgroup named $domain again.

What happens if you change

$ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domainusername,$FJoinOptions)

to

$ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domainusername,$null,$FJoinOptions)

What happens if you change

$ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domainusername,$FJoinOptions)

to

$ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domainusername,$null,$FJoinOptions)

Nothing happens. Workgroup doesn't change and domain doesn't change.

this works for me:

>    $ComputerSystem.JoinDomainOrWorkGroup($Domain,$DomainPassword,$Domain + "\" + $Domainusername,$null,$FJoinOptions)
> 

This works. I had no idea you had to put the + "\" + in there. I didn't see that documented anywhere. Thanks for your help!

Still I am unable to join windows VMs to domain. I am trying to join computers remotely. This script I have tried from local VM also. it didnt work. I am not getting any errors except the below output.

__GENUS          : 2
__CLASS          : __PARAMETERS
__SUPERCLASS     :
__DYNASTY        : __PARAMETERS
__RELPATH        :
__PROPERTY_COUNT : 1
__DERIVATION     : {}
__SERVER         :
__NAMESPACE      :
__PATH           :
ReturnValue      : 2202

any help is greatly appreciated.

Error 2202 (0x89a) indicates that the machine couldn't reach the AD domain controller.

There must be something wrong with the network setup or the network connection is not yet established.

Thanks LuCd. But I dont think we have any Network connectivity issues. I am able to join the same VM to Domain manually. Win RM and PS remoting also enabled. any other specific ports needs to be opened to connect the DC from powershell?

Perhaps I didn't explain it correctly, but I suspect that the guest can't reach the DC at the moment when the join domain is executed.

Remember that the guest OS is running sysprep at that time.

Once sysprep is finished the network connectivity is probably ok.

Thanks for the quick reply. I am sure that sysprep is not running at this time. I think there should be something else that needs to be checked. I am just pasting my script below. Please suggest if you find any mistakes..

$computer = read-host "Enter Comp Name"
$localuser = "TestVM1\administrator"
$credential = get-credential
$Domain = "test"

$usr = $credential.UserName
$pss = $credential.Password

$ComputerSystem = get-wmiobject Win32_ComputerSystem -ComputerName $computer -Credential $localuser -Authentication 6 -Impersonation Impersonate
$ComputerSystem.JoinDomainOrWorkGroup($Domain, $pss, $Domain + "\" +  $usr, $null, 3)

Thanks..

I got it:)

If I send my Domain admin Password in plain text its working fine. But due to security concerns I should not do that. Any idea how can we make it through secure string.

You can prompt for the account and password with Get-Credential.

And then you convert to cleartext which allows you to pass it to the function

$cred = Get-Credential
$user = $cred.GetNetworkCredential().UserName
$pswd = $cred.GetNetworkCredential().Password

$pswd