Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

PDQ Deploy Steps to Add Computer to AD Group

We currently have a VBScript which is part of our build which places a computer into several Active Directory Security groups for Application Group Policy Management. I am looking to decouple the script from the build to allow us to easily update which groups get added, in-addition to when we amend the groups within AD - cutting down the number of updates to our Golden Images.

I'd like, if possible to add a Package to PDQ Deploy with PowerShell steps to add the Target Machine to the specified AD Groups but am struggling to pass the Computer Name? Could anyone assist? Many thanks. Ian

-1

Comments

8 comments
Date Votes
  • I've managed to get this working after reading the following thread: https://stackoverflow.com/questions/43981614/adding-computer-to-multiple-active-directory-groups-during-task-sequence-using-p 

    $Computer = Get-ADComputer -Identity $env:ComputerName
    foreach ($Group in @("GroupOne", "GroupTwo", "GroupThree")) {
        Add-ADGroupMember -Identity $Group -Members $Computer
    }

    The above code did the job if anyone else is looking for similar.

     

    0
  • Sorry - didn't work as I happened to be testing on a machine with RSAT installed - when I run this on a normal client it fails as the Active Directory PowerShell Module isn't loaded.

    0
  • You'll want to use the Add-Computer powershell cmdlet. Information here:

    https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/add-computer?view=powershell-5.1

    There are a couple of ways to do it. You can specify an OU path if the machine needs to go into a particular location, though you'll need to figure out the method that works best for you to get machines to go where they need too.

    In its simplest form it is:

    Add-Computer -Domainnam "your.domain" -Restart
    0
  • I'm actually looking at adding the machine to an AD Security Group - the process is as follows:

    • Build Computer
    • Scan in PDQ Inventory
    • Run our existing "All New Computers" PDQ Deploy deployment which installs all custom applications
    • Run another PDQ Deploy deployment which adds the machine to the following AD Security Groups:
      - NET - Wireless LAN Computers
      - SOFTWARE-CLIENT-Google-Chrome-Enterprise
      - WSUS-PROD-WORKSTATIONS-Group

    At present we log in locally to the machine once it is built and run the following VBScript manually for each machine:

    Option Explicit

    Dim objNetwork, strComputer, objSysInfo, strComputerDN, objComputer
    Dim strDept, strRegion, strType
    Dim objGroupBase, objGroupSec, objGroupRed, objGroupLap

    ' Retrieve NetBIOS name of local computer.
    Set objNetwork = CreateObject("Wscript.Network")
    strComputer = objNetwork.ComputerName

    ' Retrieve DistinguishedName of corresponding computer object.
    Set objSysInfo = CreateObject("ADSystemInfo")
    strComputerDN = objSysInfo.ComputerName

    ' Bind to the computer object.
    Set objComputer = GetObject("LDAP://" & strComputerDN)

    ' Add this computer to appropriate groups.
    ' Bind to the group objects.
    Set objGroupBase = GetObject("LDAP://cn=NET - Wireless LAN Computers,
    ou=Legacy - Admin,ou=Admin Groups,ou=Admin Users and Groups,
    ou=Admin,ou=Shared Services,dc=<OUR_DOMAIN>")

    ' Check if already a member of each, and if not, add to the group.
    If (objGroupBase.IsMember(objComputer.ADsPath) = False) Then
    objGroupBase.Add(objComputer.ADsPath)
    End If

    ' Add this computer to appropriate groups.
    ' Bind to the group objects.
    Set objGroupBase = GetObject("LDAP://CN=COMP-Google-Chrome,
    OU=Application Security,OU=Security Groups,OU=WAHT Domain,
    DC=<OUR_DOMAIN>")

    ' Check if already a member of each, and if not, add to the group.
    If (objGroupBase.IsMember(objComputer.ADsPath) = False) Then
    objGroupBase.Add(objComputer.ADsPath)
    End If

    ' Add this computer to appropriate groups.
    ' Bind to the group objects.
    Set objGroupBase = GetObject("LDAP://CN=WSUS-PROD-WORKSTATIONS-Group,
    OU=WSUS Security,OU=Security Groups,OU=WAHT Domain,
    DC=<OUR_DOMAIN>")

    ' Check if already a member of each, and if not, add to the group.
    If (objGroupBase.IsMember(objComputer.ADsPath) = False) Then
    objGroupBase.Add(objComputer.ADsPath)
    End If

    objNetwork = null
    strComputer = null
    objSysInfo = null
    strComputerDN = null
    objComputer = null
    objGroupBase = null


    I'm trying to get away from having to manually log into the machine or add the groups by hand within Active Directory. I have tried to just run the VBScript as per the article (https://support.pdq.com/hc/en-us/community/posts/211669867-VB-Scripts) but machine is still not being added to the groups - if I run locally on the machine it works fine.

    0
  • Scratch that - sorry everyone it was my script - I have amended and now working running via PDQ Deploy. Many thanks!

    0
  • Oh wow. Brain not working after a week off. Clearly we are talking security groups and not domain joining machines. Yikes! Sorry about that. 

     

    Ok, now that I'm on the same page a question: Does your Deploy User happen to be a domain account with privileges to add/change AD Security Groups? 

     

    If the answer is YES, try this:

     

    #Implicit remoting to leverage ActiveDirectory module

    #Create a PS-Session to a domain controller (It'll have the ActiveDirectory Module).

    #Powershell.exe will remain open in the remote session until you close it, this is the beauty of implicit remoting!

    $session = New-PSSession -Computername "yourdc"

    #Import the ActiveDirectory module into the powershell.exe instance running on the remote session.

    #I'm suppressing red text here because this likes to get a bit confused about modules and will throw irrelevant errors sometimes.

    Invoke-Command -Session $session -ScriptBlock { Import-Module ActiveDirectory -ErrorAction SilentlyContinue } -ErrorAction SilentlyContinue

    #Next we Import the session into our local PS instance. This will create a shortcut folder to the ActiveDirectory module on the local computer this script is running.

    #You can use a -prefix parameter to prefix the commands coming from a remote workstation (handy in some cases).

    Import-PSSession $session -Prefix remote

    #Now that we have a local shortcut to the module cmdlets we can go from there:

    $Computer = Get-ADComputer -Identity $env:ComputerName foreach ($Group in @("NET - Wireless LAN Computers", "SOFTWARE-CLIENT-Google-Chrome-Enterprise", "WSUS-PROD-WORKSTATIONS-Group")) { Add-ADGroupMember -Identity $Group -Members $Computer }

     

     

     

     

     

    0
  • I'm also having an issue with running this on machines that don't have RSAT installed.

    0
  • Ended up finding a script that worked without RSAT being installed.

    # Retrieve DN of local computer object in AD. $SysInfo = New-Object -ComObject "ADSystemInfo" $ComputerDN = $SysInfo.GetType().InvokeMember("ComputerName", "GetProperty", $Null, $SysInfo, $Null) $ComputerDN

    # Specify the group. $Group = [ADSI]"LDAP://cn=Test Group,ou=West,dc=MyDomain,dc=com"

    # Check if computer already a member of the group. If ($Group.IsMember("LDAP://$ComputerDN") -eq $False) { # Add the computer to the group. $Group.Add("LDAP://$ComputerDN") }

    0