Renaming offline computer account on AD as part of OSD

10-11  Source: Network gathering  Views:1 

Advertisement
I am looking for an automated solution to a Windows 7 "rebuild" problem and here is the story:
We periodically have computer hard disk failures and the machines will be rebuilt on a new hard disk at the build center using the model-specific hardware "carcass". Once the hard disk is built, it will be sent over to the affected user and a field
engineer will swap the hard disks onsite and do the domain join work and anything else necessary so as to have the old computer name back.
To explain this further, say if the computer which had a hard disk failure is 123 (i.e. the computer name), we build a new Windows 7 machine on a new hard disk with the computer name as 123X. Once this machine is fully built, we need to delete the old 123
account from the AD and rename the newly built 123X to 123 (and do the domain re-join etc...).
However, the requirement is that the old 123 computer account should still stay in the domain for some time after the new machine is built (i.e. for data recovery/bit locker operations purposes if needed) which means we do not ideally want to delete the
old 123 computer account on the AD immediately, instead, we want to rename it as 123XY even though the old 123 computer is no longer physically active.
Is this technically possible? If so, can it be automated as part of SCCM OSD TS?
Hope I have not introduced too much of confusion. The problem has been reported by the build team and they have asked me to come up with an automated solution and I have tried to explain the problem above to the extent I have understood it. Currently what
they do is before deleting the computer account 123 from the AD, they back up its bitlocker recovery key information manually in order to use it later on should the need arise.
Thanks in advance.
Hi Garth,
Owing to the complexity it would have introduced into the build process to differently process new builds/rebuilds/hard disk replacement etc. we ended up ditching that option, instead went for a PowerShell scheduled task which runs every week and dumps the
bitlocker recovery info into a super-secret location :)
Below is the script if you are interested....
#Tweak the below line to point to the OU in your AD org where all the bitlockered computer objects reside
#It will run recursively against all sub-OUs.
$SearchBase = "ou=workstations,dc=contoso,dc=ad,dc=local";
#check if the output folder exists;Create it if it doesn't
If ((Test-Path -path "$(Split-Path $SCRIPT:MyInvocation.MyCommand.Path -parent)\Reports" -PathType Container) -eq $false) {
New-Item -path (Split-Path $SCRIPT:MyInvocation.MyCommand.Path -parent) -name 'Reports' -itemtype directory | Out-Null;
#set up the output csv name. An example output csv name will be BLR_15032015_Sunday.csv
$OutputCSV = "$(Split-Path $SCRIPT:MyInvocation.MyCommand.Path -parent)\Reports\BLR_$(Get-Date -format "ddMMyyyy")_$((Get-Date).DayOfWeek).csv"
Get-ADComputer -filter * -SearchBase $SearchBase -SearchScope Subtree -ResultSetSize $null -ErrorAction SilentlyContinue | Foreach-Object {
$Compname=$_.name;
Get-ADObject -Filter 'ObjectClass -eq "msFVE-RecoveryInformation"' -SearchBase $_.DistinguishedName -Properties created,name,msFVE-RecoveryPassword -ResultSetSize $null -ErrorAction SilentlyContinue |
Select-Object @{Name="Computer Name";Expression={$Compname}},
@{Name="Date Added";Expression={$_.created}},
@{Name="Password ID";Expression={$_.name -match '\{.+\}' | Out-Null;($matches[0]).Trim();}},
@{Name="Recovery Password";Expression={$_."msFVE-RecoveryPassword"}}
} | Sort-Object -Property @{Expression="Computer Name";Descending=$false},@{Expression="Date Added";Descending=$true} | Export-CSV -force -Path $OutputCSV -NoTypeInformation
Probably not what you would have been hoping for but it has worked really well for us in the last 6 months and there has never been a lost bitlocker key related incidence escalated by the customer as we always have the backup reports to go back to.
Apologies, it was impolite of me not to update this thread clarifying what I ended up doing.
Related articles