Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Add computers of Inventory Collection to AD Security Group

Hello All,

This may be a long shot, but I'm hoping someone can help me out with finding a way to take a PDQ Inventory Dynamic Collection and some how automate the results of said group to update membership of an AD Security Group.

We're licensed for Deploy and Inventory Enterprise versions.

Essentially, I have a Dynamic Collection in Inventory named 'Laptops'. There are 75 devices in that collection.  Is there anything within Deploy/Inventory that can take those results, and add them as members of an AD security group?  Then a step further, as new Laptops are added/removed from that collection, add/remove members of said AD Group without manual intervention?

Long story short, we use Microsoft DirectAccess for connection back to your office for our Laptops/Tablets.We limit the access based on that 'Laptops' AD group.  Many times after our staff sets up new laptops, we generally forget to add them to this group manually each time.

0

Comments

7 comments
Date Votes
  • Not natively. But with some tweaking of some SQL on the server where Inventory is installed, and some Powershell, this is definitely possible. This is the long way.

     

    This can probably be better served with an OU in AD that the laptops go into, and a GPO that assigns the security group to members in that OU. That would be the better way to handle it. This is the short way.

    0
  • Thanks.  I'll look into the SQL Queries as well.  Our SQL guy can help me with that.  

    I was venturing with Powershell already and grabbing WMI information.  I then starting thinking about PDQ Inventory Collections because it keeps a history of the WMI information not needing the PC to be powered on when running a query based on Chassis type or Battery presence.

    The OU is a tough one as our staff doesn't always drop them in the proper OU.  Each department is has a separate OU and a Laptop OU underneath of it.  That's more of a training issue on our part, though.  This is early stages so I have some time yet.

    I'm fine with powershell and a scheduled task as well, but I will post out on the TechNet community for help with that.

    I'll do some trial and error testing with Deploy and some scripts.  Worst case I could run a re-occuring job to trigger a local script on each machine of the Inventory Collection that adds itself to the AD group.

    Like anything IT, there's multiple ways of accomplishing this but have to find the simplest way.

    0
  • Think I found a relative easy way of adding each PC but running into a snag.  I created a new package which just runs the following powershell command:

    #### 'Direct Access Allowed PCs' is the AD Group name.###
    #### Requires Powershell v5 on the Client PC - Win 10 comes with v5 already ###

    Add-ADGroupMember "Direct Access Allowed PCs" -members $env:computername$

     

    This seems to work fine when I run it locally from the PC, but not when I'm running from the package. The deployment user account is a domain admin which would have the ability to add members to AD groups. 

    Any ideas?

     

     

    0
  • Add-ADGroupMember is a cmdlet of the ActiveDirectory module for Powershell. It gets installed by default with the addition of the RSAT tools for remote AD administration. The package is run locally on the target, and if your target does not have that AD module, then that command is not going to work and result in an error.

    0
  • Oh shoot...back to the drawing board.  Thanks for the heads up, Stephen.

    0
  • Anytime!

    0
  • There is a command line utility for interfacing with PDQ Inventory.

    # Generate the list of laptops
    $Laptops = & "C:\Program Files (x86)\Admin Arsenal\PDQ Inventory\PDQInventory.exe" GetCollectionComputers "Successfully Scanned\Normal Workstations\Chassis Type\Laptops"

    # Clear the group
    Get-ADGroupMember "Direct Access Allowed PCs" | Remove-ADPrincipalGroupMembership -MemberOf "Direct Access Allowed PCs" -Confirm:$false

    # Add all of the laptops to "Direct Access Allowed PCs"
    Foreach ( $Laptop in $Laptops ) { Get-ADComputer $Laptop | Add-ADPrincipalGroupMembership -MemberOf "Direct Access Allowed PCs" }

     

    0