failed to join domain with automated powershell script -- "unable to update password"

Question

I'm trying to add a host to the domain with a Powershell script. The script fails with the error below when it's called via CloudFormation or Ansible. It's succeed when I run it manually on the host.

I suspect I'm doing something wrong with users (I run as admin manually) so I've tried to force it to run as admin all the time. Unfortunately that didn't work either.

Has anyone seen this issue before?

Error:

> [DEBUG] Command 4-add-to-domain output: Add-Computer : Computer
> 'WIN-xxxxx' failed to join domain 
> 
> 'aws.cloud.bp.com' from its current workgroup 'WORKGROUP' with
> following error 
> 
> message: Unable to update the password. The value provided as the
> current 
> 
> password is incorrect.
> 
> At line:1 char:1
> 
> + Add-Computer -DomainName $domain -Credential $credential -OUPath $ouPath 
> 
> -Restar ...
> 
> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> ~~~
> 
>     + CategoryInfo          : OperationStopped: (WIN-K9DU7TO9331:String) [Add- 
> 
>    Computer], InvalidOperationException
> 
>     + FullyQualifiedErrorId : FailToJoinDomainFromWorkgroup,Microsoft.PowerShe 
> 
>    ll.Commands.AddComputerCommand

PS1:

if ((gwmi win32_computersystem).partofdomain -eq $true)
{ 
    write-host "already in domain" 
}
else
{
    $domain = $domainname
    $password = $password | ConvertTo-SecureString -asPlainText -Force
    $username = $uid
    $credential = New-Object System.Management.Automation.PSCredential($username,$password)
    $ouPath = $oupath
    $cmd = 'Add-Computer -DomainName $domain -Credential $credential -OUPath $ouPath -Restart'
    $runas = [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()

    if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
    {   
        $log = "not running as admin"
        $log | out-file -Filepath $logger -append
    } else {
        $log = "running as admin, about to run $cmd"
        $log | out-file -Filepath $logger -append
        Invoke-Expression -Command $cmd

    }
}

Answer 1

The answer was simpler than I thought: when the script's running via the automation tool (either CloudFormation or Ansible) it was running as local admin. However, manually it's running as domain\admin. therefore what I needed to do is call it with username $username = "mydomain\my-domain-user" rather than simply "my-domain-user". Hope this will help for people hitting the same problem...