Add computers of Inventory Collection to AD Security Group

Comments

7 comments

  • Stephen Valdinger

    Not natively. But with some tweaking of some SQL on the server where Inventory is installed, and some Powershell, this is definitely possible. This is the long way.

     

    This can probably be better served with an OU in AD that the laptops go into, and a GPO that assigns the security group to members in that OU. That would be the better way to handle it. This is the short way.

    0
    Comment actions Permalink
  • Rory Schmitz

    Thanks.  I'll look into the SQL Queries as well.  Our SQL guy can help me with that.  

    I was venturing with Powershell already and grabbing WMI information.  I then starting thinking about PDQ Inventory Collections because it keeps a history of the WMI information not needing the PC to be powered on when running a query based on Chassis type or Battery presence.

    The OU is a tough one as our staff doesn't always drop them in the proper OU.  Each department is has a separate OU and a Laptop OU underneath of it.  That's more of a training issue on our part, though.  This is early stages so I have some time yet.

    I'm fine with powershell and a scheduled task as well, but I will post out on the TechNet community for help with that.

    I'll do some trial and error testing with Deploy and some scripts.  Worst case I could run a re-occuring job to trigger a local script on each machine of the Inventory Collection that adds itself to the AD group.

    Like anything IT, there's multiple ways of accomplishing this but have to find the simplest way.

    0
    Comment actions Permalink
  • Rory Schmitz

    Think I found a relative easy way of adding each PC but running into a snag.  I created a new package which just runs the following powershell command:

    #### 'Direct Access Allowed PCs' is the AD Group name.###
    #### Requires Powershell v5 on the Client PC - Win 10 comes with v5 already ###

    Add-ADGroupMember "Direct Access Allowed PCs" -members $env:computername$

     

    This seems to work fine when I run it locally from the PC, but not when I'm running from the package. The deployment user account is a domain admin which would have the ability to add members to AD groups. 

    Any ideas?

     

     

    0
    Comment actions Permalink
  • Stephen Valdinger

    Add-ADGroupMember is a cmdlet of the ActiveDirectory module for Powershell. It gets installed by default with the addition of the RSAT tools for remote AD administration. The package is run locally on the target, and if your target does not have that AD module, then that command is not going to work and result in an error.

    0
    Comment actions Permalink
  • Rory Schmitz

    Oh shoot...back to the drawing board.  Thanks for the heads up, Stephen.

    0
    Comment actions Permalink
  • Stephen Valdinger

    Anytime!

    0
    Comment actions Permalink
  • Bouma, Colby

    There is a command line utility for interfacing with PDQ Inventory.

    # Generate the list of laptops
    $Laptops = & "C:\Program Files (x86)\Admin Arsenal\PDQ Inventory\PDQInventory.exe" GetCollectionComputers "Successfully Scanned\Normal Workstations\Chassis Type\Laptops"

    # Clear the group
    Get-ADGroupMember "Direct Access Allowed PCs" | Remove-ADPrincipalGroupMembership -MemberOf "Direct Access Allowed PCs" -Confirm:$false

    # Add all of the laptops to "Direct Access Allowed PCs"
    Foreach ( $Laptop in $Laptops ) { Get-ADComputer $Laptop | Add-ADPrincipalGroupMembership -MemberOf "Direct Access Allowed PCs" }

     

    0
    Comment actions Permalink

Please sign in to leave a comment.