I need to add various applications groups to the computers in an OU, that will be pushed out later. In AD, I go to OU, right click on the respective computer and click properties and then go to "member of" tab, and then add the various groups.
How can I automate these steps using PowerShell, so that it will apply these groups to all the computers in that OU?
import-module ActiveDirectory
$allComputers = #()
$ADgroup = "Computer Policy Application Group"
$theOU = [ADSI]"LDAP://OU=AnOU,DC=some,DC=test,DC=com"
foreach ($item in $theOU.psbase.Children) {
if ($item.ObjectCategory -like '*computer*') {
$allComputers += $item.Name
}
}
foreach ($pc in $allComputers) {
Add-ADGroupMember $ADgroup $pc
}
Then of course, you can add more groups, or setup an array of groups and iterate through it adding as you go... This will throw a lot of errors if the computer is already part of the group, by the way.
If you are using server2008 or newer (or have the required components installed) this is the simplest solution I have found.
$groupList=#("group1","group2","group3")
foreach ($Comp in (Get-AdComputer -server $ADServer -searchBase "OU=computers,DC=company,DC=com" -searchscope oneLevel")) {
foreach ($Group in $groupList) { Add-ADGroupMember -Identity $Group -Members $Comp -Server $ADServer }
}
Be sure to populate the $groupList variable with an array of the samaccountnames of the groups you wish to add, and to replace "OU=computers,DC=company,DC=com" with the LDAP Path to the OU containing the computers you wish to add permissions to.
Using the ActiveDirectory module, you can either user Add-ADPrincipalGroupMember or Add-ADGroupMember.
The former 'Adds a member to one or more Active Directory groups' whilst the latter 'Adds one or more members to an Active Directory group'.
Related
Following situation: You have ForeignSecurityPrincipals in your AD Groups. But Remove-ADGroupMember cannot remove them, since it does not support removing "ForeignSecurityPrincipal". Using the DOMAIN\SamAccountName Method is not available as well, since that old domain does not exist any more. On top you are not allowed to use external modules since that company does not want external modules.
I needed this functionality today for a mass-cleanup job, as written without needing extra modules, and without having the old AD available since it was already killed. Found nothing, so I developed this solution and share it.
You have to get the DOMAINSID first, which should be simple. My example uses -Server since the "adminforest" is not the same as the forest of the groups to be modified. It searches all groups from the given OU, selects all groups with members matching the DOMAINSID, and then removes each member matching the DOMAINSID from those groups.
Don't forget to set $WhatIf=$false, else it runs in "we test only" mode.
$Groups = Get-ADGroup -Server other.domain.local -Filter * -SearchBase "OU=Groups,OU=SubOU,OU=Subsidary,DC=OTHER,DC=DOMAIN,DC=LOCAL" -Properties *
$GroupsWithForeignMembers = #($Groups.Where({$_.member -like "*S-1-5-21-2631234548-991234592-3812345124*"}))
$WhatIf=$true
foreach ($Group in $GroupsWithForeignMembers) {
$MemberForeign= #((Get-ADGroup -Server bk.bwl.net -Identity $Group.SamAccountName -Properties member).member.Where({$_ -like "*S-1-5-21-2631234548-991234592-3812345124*"}))
foreach ($Member in $MemberForeign) {
"Removing $Member from $($Group.SamAccountName)" | Tee-Object -Append "GROUPS-cleanup.log"
Set-ADObject -Server other.domain.local -Identity $Group -Remove #{member=$Member} -Verbose -WhatIf:$WhatIf
}
}
I have the script below to give me the distinguished name for groups in a spreadsheet I have. The issue is, the groups are located in another domain. How do I point my script to that domain? Issue is I know I have to be logged in to that domain to run it but I cant.
$Groups = Get-Content -Path C:\Scripts\DistinguishedName.csv
ForEach ($Group in $Groups) {
Get-ADGroup -Identity $Group | Select-Object distinguishedName
}
The cmdlets in the Active Directory module support passing in the value of the domain controller you are wanting to query. By default when you call Get-ADGroup (or any of the other) it will validate what domain it should query by checking the domain of your current machine.
The other option is to provide the -Server (doc) with the value of the Active Directory Domain Services you want to execute your query against.
You can also provide the -Credential parameter with a PSCredential object that contains your login for that other domain. This is required if the current login of your PowerShell session is not authorized to authenticate against that other domain.
So your example script would look something like this:
$AdDomain = "whatever.company.local"
$adCred = Get-Credential
$Groups = Get-Content -Path C:\Scripts\DistinguishedName.csv
ForEach ($Group in $Groups) {
Get-ADGroup -Identity $Group -Server $AdDomain -Credential $adCred | Select-Object distinguishedName
}
I'm trying to remove all computers from the wk_test security group and then add all the computers in the default 'Computers' container in AD to the (now-empty) wk_test security group.
However, I don't want to export the computers to a list and then import them back into the security group.
I have the first part of the script working properly, and it removes the computers from the wk_test group with no errors. My issue is adding the computers to the wk_test group from the "computers" container.
Remove-ADGroupMember "wk_test" -Members (Get-ADGroupMember "wk_test") -Confirm:$false
Add-ADGroupMember -Identity "wk_test" -Members (Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org") -filter*
I think the main problem is that I am attempting to copy from the computers container. Most of the advice on the internet refers to copying from an OU and not a container.
The Add-ADGroupMember documentation says:
You cannot pass user, computer, or group objects through the pipeline to this cmdlet.
Which I think is what you are trying to do.
I've used this method before to add computers from an OU to a group:
Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org" -Filter * | foreach {Add-ADGroupMember "wk_test" -Members $_.DistinguishedName }
But I think you could also modify your code like this, but I've not tested this as I'm not on domain at the moment.
$Computers = Get-ADComputer -SearchBase "CN=computers,DC=ad,dc=org" -filter* | select -ExpandProperty DistinguishedName
Add-ADGroupMember -Identity "wk_test" -Members $Computers
If you are moving them, why not use Move-ADObject.
So it would be:
Get-ADGroupMember "wk_test" | Move-ADObject -TargetPath <ou path>
This may be the wrong approach, but I have used the last couple of days experimenting with the foreach in PowerShell (I use Ver. 5 of PowerShell).
What I am looking for is a way to add a list of computers that I already have into a list of AD groups that I already have. So I used Get-Content for importing the 2 .txt files, and I also learned that AD groups in PowerShell uses -Identity instead of name I don't know the reason for that decision. But nevertheless I came up with this:
$Apps = Get-Content C:\Scripts\Apps.txt
$Computers = Get-Content C:\Scripts\Computers.txt
foreach ($App in $Apps) {
Add-ADGroupMember $Apps -Identity $Computers
}
My problem is that it works of I only have 1 AD group in the Apps.txt file. If I add more groups PowerShell goes all red on me, and then my computer starts crying.
In Computers.txt I have listed the computer accounts with a $ at the end, and they are on seperate lines, like this:
PC1$
PC2$
In Apps.txt the AD groups are on seperated lines without any commas or semmicolons or anything.
Change $Apps to $App in the line Add-ADGroupMember $Apps -Identity $Computers
and also the -Identity parameter is the AD Group name. You also will need to use the -Members parameter for the users. E.g.
Add-ADGroupMember -Identity $App -Members $Computers
I'm trying to remove all the principal group memberships starting with the name of all computer accounts in one specific ou.
I've tried browsing to the OU with the AD provider, typing gci and getting a list of all the computers in the ou to find their ADPrincipalGroupMembership which works. Also, using get-adcomputer -searchbase <ou> -filter * works too. But I can't then remove every group that each machine is a member of.
When I then try to expand on that with remove-ADPrincipalGroupMembership, my input for the groups to remove are system.string and remove-ADPrincipalGroupMembership won't accept that. I have something like this so far/
Get-ADComputer -SearchBase 'OU=blahblah' -Filter * |
Remove-ADPrincipalGroupMembership -MemberOf (Get-ADGroup -Filter 'name -like "17"')
I've read help and examples but I can't find how to do this. I don't want to give up and just use the gui :)
thank you
You can try this...I am not able to test it to confirm it works, but I think it should.
$Comps = Get-ADComputer -SearchBase 'OU=blahblah' -Filter * -Prop MemberOf
Foreach ($Comp in $Comps)
{
$Groups = $Comp.MemberOf | ? {$_ -like "CN=17*"}
if ($Groups)
{
Remove-ADPrincipalGroupMembership -Identity $Comp -MemberOf $Groups -Whatif #-Confirm $False
}
}
Assuming it works with the -whatif statement, by default I believe that command will prompt you if you're sure about each removal which could be a pain so you could uncomment -confirm $false to try and avoid that.
Also it is assuming the distinguished name of each group is going to be something along the lines of
CN=17groupA,OU=Computer Groups,OU=Computer,DC=TEST,DC=NET