jump to navigation

New for MDT 2010: ZTIDomainJoin.wsf December 8, 2009

Posted by keithga in MDT 2010, VBscript.

One of the new scripts for MDT 2010 is the ZTIDomainJoin.wsf script. This script will operate like NetDom.exe, Joining the machine to the Domain specified in the customsettings.ini and/or Deployment Wizard.

Normal Process

Before MDT 2010, the variables collected in the wizard for joining the domain were placed directly into the unattend.xml or unattend.txt file. The OS would then perform the join to the domain during (OOBE) Setup.

This tool came about because of several scenarios that could prevent the machine from successfully joining the domain during Windows Setup. For example. If the network did not have DHCP available, Windows Setup is not programmed with the correct Static IP address settings necessary for the Join Domain feature to contact the domain controller. Later on in the Task Sequence Steps, the ZTINICConfig.wsf script would correctly configure the Network Cards, however it was too late for joining the domain.

So we developed a new script ZTIDomainJoin.wsf as a thin wrapper around the WMI call Win32_ComputerSystem:JoinDomainOrWorkgroup(). If the script sees that the machine is already joined to the correct domain, no problem, it continues on, without any errors. However, if the script sees that a request was made to join the domain, and the machine is *not* in that correct domain, then it will attempt to join the domain and reboot. If there is a failure joining the domain, the script will retry up to 3 times before logging a failure and continuing.

Domain Policies that break MDT

Another scenario where this script works well is when a Domain has a Policy that blocks automation. For example a Legal disclaimer at login, or a rename of the local Administrator Account. Either one of these changes will break MDT.

One possible work around in these scenarios is to *remove* the domain join entries in the unattend.xml and unattend.txt templates on your MDT server, or remove the entries in the ZTIConfigure.xml script. Once removed, the ZTIConfigure.wsf script won’t populate the unattend.txt with the correct variables gathered form the CustomSettings.ini file and/or Deployment Wizard.

Then add the ZTIDomainJoin.wsf script near the *end* of the Deployment Task Sequence. Most of the automation will be complete by that point.


It takes the following variables:

  • JoinDomain – Name of domain to join
  • DomainAdmin – User Account used to Join Domain (must have permissions to perform Domain Join)
  • DomainAdminDomain – Domain of User account used to Join Domain
  • DomainAdminPassword – Password used to Join Domain
  • MachineObjectOU – Domain OU to join
  • DomainErrorRecovery – [Auto|MANUAL|FAIL]
    • Auto – Automatically try to Join to the domain, reboot and retry if there is a failure.
    • Manual – Stop processing the Task Sequence, and wait for the user to manually join the domain.
    • Fail – Stop the Task Sequence if the machine has not joined the domain.


Fail could be useful if you have applications that *require* the machine to be part of the domain. If for any reason, the machine failed to join the domain, you could call the ZTIDomainJoin.wsf script with the “Fail” Parameter to crash the installation process if the machine is not joined to the domain.

Manual style is a new feature in MDT 2010, where MDT can “Halt” the execution of the Task Sequence, and allow the user the ability to perform manual steps (without the pesky Task Sequence progress bar, which insists that it remain on “top”). Just follow the instructions to restart the task sequence.


Keith Garner is a Deployment Specialist with Xtreme Consulting Group


1. JosephC - April 20, 2012

I keep receiving a bad username or password error. I’ve tried two accounts, same error (and it will eventually lock the account). I’ve moved a custom task to the bottom the ts and have it run the ZTIDomainJoin.wsf, I’ve set the domain and account information in the cs.ini file. Is there somewhere else where the script is pulling the credentials from? Should I be setting the details it needs somewhere other than the cs.ini file?

2. Paul - April 19, 2012

The easiest solution I’ve found for this problem is from this blog: http://www.microtom.net/?p=675

Paul - April 19, 2012

When I say this problem, i should have been more clear!! I mean the problem of Legal Notice of a ‘disclaimer’ prompt at logon breaking autologon in MDT

3. ZTIDomainJoin.wsf and 0×534 error in Netlogon.log | MSitPros Blog - February 2, 2012

[…] So I have read that this will break MDT. I first read about it in Johan Arwidmarks blog (this guy has seen it all). This article here: http://www.deployvista.com/Blog/JohanArwidmark/tabid/78/EntryID/147/language/en-US/Default.aspx I suggest 2 workarounds. One is to enable WMI queries on the group policy object that has the logon message box setting. This was not an option in my scenario. So I choose to go for option number 2. Postpone the domain join process. Johan referred to a blog article by Keith Garner (on of the MDT developers). This one: http://deployment.xtremeconsulting.com/2009/12/08/new-for-mdt-2010-ztidomainjoin-wsf/ […]

4. njbasecamp - January 10, 2012

Hey all, A few questions on this one. I ware many hats here and my experiences is limited with MDT not non existent just limited.

After a number of changes things on our network are happening much faster SCCM and GPOs are causing my image to fail or hang some of the time. I need to move the join domain to the end of the image process.

If someone has some instructions or could show me exactly what lines I need to remove to make this happen I would be most appreciated.

I made two or three attempts to do this myself but I have failed. I edited CS.ini to remove the domain stuff moved the recovery TS to the end but it never gets their it fails stating it cant pass credentials. I would like to have the Join Domain piece stay automated just happen as the last TS or just before the last TS.


5. MDT 2010 Deploy Windows 7 – Join the computer to the domain - myITforum.com | myITforum.com - November 11, 2011

[…] blog talks about the workaround for scenario like this, I followed the instruction […]

6. Eni Spetsi - June 19, 2011

I want to skip this section, i need to install 20 machines,and i don’t want to join the domain and ask me all the time for username password and domain.

7. Jamie - June 16, 2011

I’ve moved “Recover From Domain” as the very last action and this does work as expected however an automatic reboot is still performed after this just before the deployment process is completed and final summary is displayed. Because the domain has been joined with GPOs already applied to the computer (Refresh of existing computers) the initial problem where autologon still attempts to logon as the domain administrator rather than local occurs and so doesn’t automatically finish the deployment.

Am I missing something? Should I be adding the ZTIDomainJoin script at the end instead of the “Recover from domain” action?

Ta, Jamie

8. Phil - March 21, 2011

Hi Keith
I wish to NOT join the domain and I have commented out the two references to “JoinDomain” in ZTIConfigure.xml but the task still successfully joins the domain during Recover From Domain.

Can you confirm that I have commented out the correct sections?

Many thanks, Phil

9. Blaine - January 21, 2011

I use the Recover from domain as basically the last step before the final dialog box comes up, but since the recover from domain script reboots, I still ocassionally run into the policies taking affect and depending on OU changing the admin name or requiring manual login of .\administrator. Is there anyway to suppress the reboot and just have litetouch finish up? I get the legal notice the majority of the time anyway after reboot, so its one manual step regardless if I do a manual reboot myself at the end to apply the domain join.

10. Eben - October 13, 2010

Hey keithga,

Hope you are well? The above worked for my Windows XP deployment with MDT 2010. However, I tried the same now with MDT 2010 update 1 and Windows 7, and I’m again strugling with the GPO that break my auto logon in MDT? Any help or advice would be much apreciated.


11. walid_zohair@rayacorp.com - July 29, 2010

how to edit Unattend.xml to remove the join domain ?

12. MDT 2010 Deploy Windows 7 – Join the computer to the domain - Ying Li(MVP) at myITforum.com - June 13, 2010

[…] blog talks about the workaround for scenario like this, I followed the instruction […]

13. Ying - June 3, 2010


I have a similar problem where automatic domamin breaks MDT (because we have a GPO in place to deploy SCCM Client). I am trying to use the method you mentioned above but I have some confusions regarding your instructions
So I remove the domain join entries in CS.ini;
add a TS (ZTIDomainjoin.wsf) to the “end” of deployment;
where I put those “Variables”?


14. Joseph Ozdemir - April 13, 2010

Hi Keith,

Just after some advice here – I want to use ztiwindowsupdate.wsf to install all approved updates from a WSUS server, however due to domain policy windows updates are disabled (We’re still using SMS for workstation patching)…therefore script fails.

Unfortunately my application installations are running from a dfs share on the network so I’m not sure how well authentication is going to go without the machine being on the domain prior to application installation.

Is there any way you can think of that I can structure my task sequence in such a way as to 1) Pull Windows Updates from WSUS, 2) Join Domain using ztidomainjoin.wsf and 3) Install Applications.

I’m aware though that there is a post application installation Windows Update task be default in the sequence, but I’d like to think that I would receive most windows updates with just the one task?

Any ideas you might have would be greatly appreciated.

15. Richard Tracy - April 7, 2010

Can u post detailed instructions on how to deploy using the refresh/replace and unattendjoin method that have static IP assigned to the hosts?
I have been successful at getting the task sequence to capture the current hosts network configurations and applying them to the litetouch PE so it can connect to the deployment share, but I can’t get LitetouchPE to pass the network settings after it has deployed the OS (windows 7 ) but before it tries to join the domain. Obviously it will fail and once I manually insert the the correct network configurations, and start the litetouch.wsf sequence again it will contiune the rest of the process and finish the deployment…but now I must join the computer to the domain myself. Any ideas?

16. Stephen - March 9, 2010

I’ve got a strange problem using SCCM and MDT 2010, the domian join always works, but sometimes the machine account ends up in the default OU instead of the one specified in the Task Sequence step. It only happens very occasionaly, and there’s nothing of use in the NetSetup.log file as the actual domain join has been successful. Can anyone provide any ideas of where to look next?

tmintner - March 9, 2010

One thing to check to see is if the machine existed in that container already before the domain join. When you are joining a machine to the domain that already exists in the domain it will always stay in the OU or container that it was originally part of.

17. keithga - March 5, 2010

(Sorry about the delay in responding)…
Yes, if you do nothing at the start of the MDT installation process, the machine will automatically be joined to a Workgroup. YOu can then add the ZTIDomainJoin.wsf script at the *end* of the MDT installation process, just before the final reboot, that should be good.

18. Eben - February 26, 2010

keithga – Thank you so much for this help! I am new to MDT and this is my first deployment for a large company. I allso struggle for days with the GPO that renamed the local admin account. I removed the Domain Join Entries from the ZTIConfigure.xml script, and it is now not jouning the Domain at the beginning. I want to join a workgroup at that point, which is correct. What do I have to do to have to workgroup name auto filled in and continue without my interaction at that stage?

Your help is much apreciated!!!

19. tmintner - December 17, 2009

ZTIDomainJoin is pulling the variables from the wizard values that you populated when you started the deployment process or from variables in the customsettings.ini.

The unattend.txt file would be used for a complete deployment if you were installing XP from source files. When you capture the image, it uses sysprep.inf. When the image is deployed the sysprep.inf in the image is used and updated with variables from the deployment.

20. Fred - December 16, 2009

I thought unattend.txt was only use to guide an install from the CD source files and sysprep.inf was used for the mini-setup values from a reference machine restore (from image). I’m confused about when sysprep.inf/unattend/custom settings/machines details/roles details come in where. Then you find three or more sysrpeps and unattends and WHAM I’m spinning.

Where is ZTIDomainJoin.wsf pulling its variables from? From the command line in the task sequence? From values in the machine/role/custom settings rules? I think I’m reading custom settings but I didn’t know variables like DomainErrorRecovery was available in there.

I keep getting everying running like a top.. then I have to modify something and the house of cards comes down again 🙂 I’m going to hammer this out eventually. So many moving parts!

21. Rliving - December 9, 2009

Hi Keith,

Using the ZTIDomainJoin.wsf and the “MachineObjectOU” variable, would this be the correct syntax to define the OU to join?


In Netdom.exe, it uses this syntax:


keithga - December 9, 2009

Yes, good catch, I forgot to meniton MachineObjectOU, and yes you are using the correct syntax!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: