add machine to group RRS feed

  • Question

  • From within a sccm task sequence I need to add a machine to an AD group.   We install the RSTAT tools into our OSD image.  But the following command does not add the machine to the AD group.

    PowerShell.exe -NoProfile -executionpolicy bypass -Command {import-module -Name C:\windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management -verbose; ADD-ADGroupMember "All SCCM Clients" –members $env:computername$}

    We block port 80 for security and only allow SCCM to use port 443.  Would that cause this failure?  


    • Moved by jrv Tuesday, June 5, 2018 2:40 PM Correct forum.
    Tuesday, June 5, 2018 2:13 PM

All replies

  • Just a guess, but you probably need to import the ActiveDirectory module instead. That provides the Add-ADGroupMember cmdlet.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, June 5, 2018 2:22 PM
  • A computer cannot add itself to the group.  You need an admin account.


    Tuesday, June 5, 2018 2:39 PM
  • Hi, I do import it.  if you look at my command line I run the import-module step.  


    Tuesday, June 5, 2018 2:47 PM
  • Hello, on the task sequence step within SCCM you can "run command as a different user"  so the command I show above does run as a User with elevated rights.


    Tuesday, June 5, 2018 2:48 PM
  • In PowerShell I use:

    Import-Module ActiveDirectory

    You may need to provide the full path. I have never imported Microsoft.PowerShell.Management.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, June 5, 2018 5:56 PM
  • Are you running that step as a user with permissions to add computers to the group in AD?

    Martin Bengtsson | Blog: | Twitter: @mwbengtsson
    If a post helps to resolve your issue, please remember to click Mark as Answer.

    Tuesday, June 5, 2018 6:21 PM
  • Why not just use this VB method as it doesnt require any prereqs

    Of course be sure to run the step with an account that has sufficient rights to modify membership. (dont use domain admin!)

    Dan Padgett | Blog: | Twitter: @danjpadgett

    Tuesday, June 5, 2018 7:10 PM
  • Adding to Dans recommendation. Using a webservice to carry out actions in AD is also an option:

    Martin Bengtsson | Blog: | Twitter: @mwbengtsson
    If a post helps to resolve your issue, please remember to click Mark as Answer.

    Wednesday, June 6, 2018 11:05 AM
  • Dan, I have run that exact method and that too does not work.   I then used Import-Module ActiveDirectory as Richard suggested and that does not work.

    Yes, I run this as a user with rights.   


    Wednesday, June 6, 2018 12:58 PM
  • If I open up PowerShell ISE as a user with AD rights and I run this command it works:

    PowerShell.exe-NoProfile-executionpolicybypass-Command{Import-ModuleActiveDirectory; ADD-ADGroupMember"All SCCM Clients"–members$env:computername$}

    If I run the exact same command as the exact same user from within the SCCM Task Sequence it fails.   I run this command  near the end of the task sequence and it never works.   Why? 



    Wednesday, June 6, 2018 3:55 PM
  • I think the problem might be that the $env.computername environment variable is not available. You can test by hard coding a computer name. This reference:

    discusses task sequence environment variables, one of which is %_SMSTSMachineName%.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, June 6, 2018 4:18 PM
  • Hi,

    I created this script to not have to import the AD Module. It works great!

    then you can simply add the computername as a variable to the script.

    I hope that helps!


    -- My System Center blog -- Twitter @ccmexec

    Thursday, June 7, 2018 12:41 PM
  • ok, something is going on.  I hard coded the machine name and it still does not add it to the AD Group.  and when I run the same command outside of the task sequence it always works.   This command was run:   PowerShell.exe -NoProfile -executionpolicy bypass -Command {import-module -Name C:\windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management -verbose; Import-Module ActiveDirectory; ADD-ADGroupMember "All SCCM Clients" –members "PCName"}

    I know for a fact that the user account I'm using has full rights to add/delete machines from AD and AD Groups. why would it fail from within an SCCM task sequence? And here is the real kicker, the same command works fine from within an MDT task sequence.  We tested that and it worked.



    Thursday, June 7, 2018 2:24 PM
  • Jörgen, I used your method and it too does not work.  I think any PowerShell command I run fails.  Example:  I added this to my task sequence near the end (so Windows was up and running) 

    PowerShell.exe-NoProfile-executionpolicybypass-Command{"this is a test"|out-filec:\windows\temp\PS1End.txt}

    The .txt file never gets created.  Could something be blocking PowerShell.exe from running?  


    Thursday, June 7, 2018 3:22 PM