From 0b26a6a64ed50d0fd43f8741cfae1a74d8c15945 Mon Sep 17 00:00:00 2001 From: mabdc-admin Date: Mon, 30 Mar 2026 19:45:21 +0000 Subject: [PATCH] Add domain-join.ps1 --- domain-join.ps1 | 197 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 197 insertions(+) create mode 100644 domain-join.ps1 diff --git a/domain-join.ps1 b/domain-join.ps1 new file mode 100644 index 0000000..f3745ea --- /dev/null +++ b/domain-join.ps1 @@ -0,0 +1,197 @@ +#Requires -RunAsAdministrator +<# +.SYNOPSIS + MABDC Domain Join Script +.DESCRIPTION + Joins a Windows 11 Pro/Enterprise PC to the MABDC domain, + installs Chocolatey, adds the MABDC package feed, and + triggers auto-provisioning of all base packages. +.NOTES + Run as Administrator on a fresh Windows 11 Pro/Enterprise PC. + Requires internet access to dc1.mabdc.org and repo.mabdc.com. +#> + +param( + [Parameter(Mandatory=$true)] + [string]$Department, + + [Parameter(Mandatory=$false)] + [string]$PCName, + + [Parameter(Mandatory=$false)] + [string]$AdminUser = "Administrator", + + [Parameter(Mandatory=$false)] + [string]$DomainName = "mabdc.org" +) + +$ErrorActionPreference = 'Stop' +$LogFile = "C:\MABDC\Logs\domain-join.log" + +function Write-Log { + param([string]$Message) + $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" + $entry = "[$timestamp] $Message" + Write-Host $entry -ForegroundColor Green + Add-Content -Path $LogFile -Value $entry -ErrorAction SilentlyContinue +} + +# Pre-flight checks +Write-Log "=== MABDC Domain Join Script v1.0 ===" +Write-Log "Starting pre-flight checks..." + +# Check Windows edition +$edition = (Get-WindowsEdition -Online).Edition +if ($edition -match "Home|Core") { + Write-Host "ERROR: Windows 11 Home cannot join a domain. You need Pro or Enterprise." -ForegroundColor Red + exit 1 +} +Write-Log "Windows Edition: $edition ✓" + +# Check if already domain-joined +$currentDomain = (Get-WmiObject Win32_ComputerSystem).Domain +if ($currentDomain -eq $DomainName) { + Write-Log "PC is already joined to $DomainName. Skipping domain join." +} else { + Write-Log "Current domain: $currentDomain (will join $DomainName)" +} + +# Create MABDC directories +$dirs = @("C:\MABDC", "C:\MABDC\Config", "C:\MABDC\Logs", "C:\MABDC\Wallpapers", "C:\MABDC\Scripts", "C:\MABDC\Certs") +foreach ($dir in $dirs) { + if (!(Test-Path $dir)) { + New-Item -ItemType Directory -Path $dir -Force | Out-Null + Write-Log "Created $dir" + } +} + +# Set PC name if provided +if ($PCName) { + $currentName = $env:COMPUTERNAME + if ($currentName -ne $PCName) { + Rename-Computer -NewName $PCName -Force + Write-Log "PC renamed to $PCName (reboot required)" + } +} + +# Configure DNS to point to AD server +Write-Log "Configuring DNS..." +$adapters = Get-NetAdapter | Where-Object Status -EQ 'Up' +foreach ($adapter in $adapters) { + Set-DnsClientServerAddress -InterfaceIndex $adapter.ifIndex -ServerAddresses ("159.195.41.59", "45.90.28.0") + Write-Log "DNS set on adapter: $($adapter.Name)" +} + +# Test AD connectivity +Write-Log "Testing connection to AD server..." +$adTest = Test-NetConnection -ComputerName "dc1.mabdc.org" -Port 389 -WarningAction SilentlyContinue +if ($adTest.TcpTestSucceeded) { + Write-Log "AD server reachable on LDAP (389) ✓" +} else { + Write-Log "WARNING: Cannot reach AD server on port 389. Trying port 636 (LDAPS)..." + $adTest2 = Test-NetConnection -ComputerName "dc1.mabdc.org" -Port 636 -WarningAction SilentlyContinue + if ($adTest2.TcpTestSucceeded) { + Write-Log "AD server reachable on LDAPS (636) ✓" + } else { + Write-Host "ERROR: Cannot reach AD server. Check network/firewall." -ForegroundColor Red + exit 1 + } +} + +# Join domain (if not already joined) +if ($currentDomain -ne $DomainName) { + Write-Log "Joining domain $DomainName..." + $cred = Get-Credential -Message "Enter domain admin credentials for $DomainName" + + $ouPath = "OU=$Department,DC=mabdc,DC=org" + try { + Add-Computer -DomainName $DomainName -OUPath $ouPath -Credential $cred -Force + Write-Log "Successfully joined $DomainName in OU=$Department ✓" + } catch { + Write-Log "Trying without OU specification..." + Add-Computer -DomainName $DomainName -Credential $cred -Force + Write-Log "Successfully joined $DomainName (default OU) ✓" + } +} + +# Install Chocolatey +Write-Log "Installing Chocolatey package manager..." +if (!(Get-Command choco -ErrorAction SilentlyContinue)) { + Set-ExecutionPolicy Bypass -Scope Process -Force + [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072 + Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')) + Write-Log "Chocolatey installed ✓" +} else { + Write-Log "Chocolatey already installed ✓" +} + +# Refresh PATH +$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User") + +# Add MABDC Chocolatey source +Write-Log "Adding MABDC package repository..." +choco source add --name=mabdc --source="https://repo.mabdc.com/api/packages/mabdc/nuget/v2" --priority=1 -y +Write-Log "MABDC repo added ✓" + +# Install base packages +Write-Log "Installing base packages (this may take several minutes)..." + +$basePackages = @( + "mabdc-base-config", + "mabdc-debloat", + "mabdc-nextdns-config", + "mabdc-wallpaper", + "mabdc-chrome-enterprise", + "mabdc-rustdesk" +) + +foreach ($pkg in $basePackages) { + Write-Log "Installing $pkg..." + choco install $pkg --source=mabdc -y --no-progress 2>&1 | Out-Null + if ($LASTEXITCODE -eq 0) { + Write-Log "$pkg installed ✓" + } else { + Write-Log "WARNING: $pkg may have had issues (exit code: $LASTEXITCODE)" + } +} + +# Install department-specific packages +Write-Log "Installing department packages for: $Department" +$deptPackage = "dept-$($Department.ToLower())" +choco install $deptPackage --source=mabdc -y --no-progress 2>&1 | Out-Null + +# Set up auto-update scheduled task +Write-Log "Setting up automatic package updates..." +$action = New-ScheduledTaskAction -Execute "choco" -Argument "upgrade all -y --source=mabdc --no-progress" +$trigger = New-ScheduledTaskTrigger -Daily -At "2:00AM" +$settings = New-ScheduledTaskSettingsSet -StartWhenAvailable -DontStopOnIdleEnd +Register-ScheduledTask -TaskName "MABDC-AutoUpdate" -Action $action -Trigger $trigger -Settings $settings -User "SYSTEM" -RunLevel Highest -Force | Out-Null +Write-Log "Auto-update scheduled for 2:00 AM daily ✓" + +# Save join metadata +$metadata = @{ + pcName = $env:COMPUTERNAME + department = $Department + joinedAt = (Get-Date -Format "yyyy-MM-dd HH:mm:ss") + joinedBy = $env:USERNAME + windowsEdition = $edition + windowsVersion = [System.Environment]::OSVersion.Version.ToString() + domainName = $DomainName + packagesInstalled = $basePackages +} | ConvertTo-Json -Depth 3 +Set-Content -Path "C:\MABDC\Config\join-metadata.json" -Value $metadata -Force + +Write-Log "" +Write-Log "=========================================" +Write-Log " MABDC Domain Join Complete! 🎉" +Write-Log " Domain: $DomainName" +Write-Log " Department: $Department" +Write-Log " PC Name: $env:COMPUTERNAME" +Write-Log "=========================================" +Write-Log "" +Write-Log "A restart is required to complete the domain join." + +$restart = Read-Host "Restart now? (Y/N)" +if ($restart -eq 'Y' -or $restart -eq 'y') { + Restart-Computer -Force +}