无法使用自动PowerShell脚本加入域 - "无法更新密码"

Question

我正在尝试使用Powershell脚本向域添加主机.当通过CloudFormation或Ansible调用脚本时,脚本失败并显示以下错误.当我在主机上手动运行它时,它会成功.

我怀疑我做错了用户(我手动运行管理员)所以我试图强迫它一直以管理员身份运行.不幸的是,这也没有用.

有没有人见过这个问题？

错误:

> [DEBUG] Command 4-add-to-domain output: Add-Computer : Computer
> 'WIN-xxxxx' failed to join domain 
> 
> 'aws.cloud.bp.com' from its current workgroup 'WORKGROUP' with
> following error 
> 
> message: Unable to update the password. The value provided as the
> current 
> 
> password is incorrect.
> 
> At line:1 char:1
> 
> + Add-Computer -DomainName $domain -Credential $credential -OUPath $ouPath 
> 
> -Restar ...
> 
> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> ~~~
> 
>     + CategoryInfo          : OperationStopped: (WIN-K9DU7TO9331:String) [Add- 
> 
>    Computer], InvalidOperationException
> 
>     + FullyQualifiedErrorId : FailToJoinDomainFromWorkgroup,Microsoft.PowerShe 
> 
>    ll.Commands.AddComputerCommand

PS1:

if ((gwmi win32_computersystem).partofdomain -eq $true)
{ 
    write-host "already in domain" 
}
else
{
    $domain = $domainname
    $password = $password | ConvertTo-SecureString -asPlainText -Force
    $username = $uid
    $credential = New-Object System.Management.Automation.PSCredential($username,$password)
    $ouPath = $oupath
    $cmd = 'Add-Computer -DomainName $domain -Credential $credential -OUPath $ouPath -Restart'
    $runas = [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()

    if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
    {   
        $log = "not running as admin"
        $log | out-file -Filepath $logger -append
    } else {
        $log = "running as admin, about to run $cmd"
        $log | out-file -Filepath $logger -append
        Invoke-Expression -Command $cmd

    }
}

Answer 1

答案比我想象的要简单:当脚本通过自动化工具(CloudFormation或Ansible)运行时,它作为本地管理员运行.但是,手动将其作为域\ admin运行.因此我需要做的是用用户名$ username ="mydomain\my-domain-user"而不是简单地用"my-domain-user"来调用它.希望这有助于人们遇到同样的问题......

Answer 2

摘自： http: //www.gi-architects.co.uk/2017/01/powershell-add-computer-error-when-execulated-remotely/

\n\n

问题的根源是（假设您的密码是正确的）当以交互方式运行时，域是预先附加的，因此您只需要提供用户。但在非交互式环境中，域并不被称为\xe2\x80\x99，这是一个非常简单的修复，请确保包含短域名，例如\xe2\x80\x9ccontoso\\DMAdmin\xe2\x80 \x9d 或完整 FQDN \xe2\x80\x9cDMAdmin@contoso.com。

\n