none
add machine to group

    Question

  • From within a sccm task sequence I need to add a machine to an AD group.   We install the RSTAT tools into our OSD image.  But the following command does not add the machine to the AD group.

    PowerShell.exe -NoProfile -executionpolicy bypass -Command {import-module -Name C:\windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management -verbose; ADD-ADGroupMember "All SCCM Clients" –members $env:computername$}

    We block port 80 for security and only allow SCCM to use port 443.  Would that cause this failure?  



    mqh7

    • Moved by jrv Tuesday, June 05, 2018 2:40 PM Correct forum.
    Tuesday, June 05, 2018 2:13 PM

All replies

  • Just a guess, but you probably need to import the ActiveDirectory module instead. That provides the Add-ADGroupMember cmdlet.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, June 05, 2018 2:22 PM
  • A computer cannot add itself to the group.  You need an admin account.


    \_(ツ)_/

    Tuesday, June 05, 2018 2:39 PM
  • Hi, I do import it.  if you look at my command line I run the import-module step.  

    mqh7

    Tuesday, June 05, 2018 2:47 PM
  • Hello, on the task sequence step within SCCM you can "run command as a different user"  so the command I show above does run as a User with elevated rights.


    mqh7

    Tuesday, June 05, 2018 2:48 PM
  • In PowerShell I use:

    Import-Module ActiveDirectory

    You may need to provide the full path. I have never imported Microsoft.PowerShell.Management.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, June 05, 2018 5:56 PM
  • Are you running that step as a user with permissions to add computers to the group in AD?

    Martin Bengtsson | Blog: www.imab.dk | Twitter: @mwbengtsson
    If a post helps to resolve your issue, please remember to click Mark as Answer.

    Tuesday, June 05, 2018 6:21 PM
  • Why not just use this VB method as it doesnt require any prereqs 

    http://ccmexec.com/2010/08/adding-computer-to-ad-groups-during-deployment/

    Of course be sure to run the step with an account that has sufficient rights to modify membership. (dont use domain admin!)


    Dan Padgett | Blog: http://execmgr.net | Twitter: @danjpadgett

    Tuesday, June 05, 2018 7:10 PM
  • Adding to Dans recommendation. Using a webservice to carry out actions in AD is also an option: https://gallery.technet.microsoft.com/ConfigMgr-WebService-100-572825b2


    Martin Bengtsson | Blog: www.imab.dk | Twitter: @mwbengtsson
    If a post helps to resolve your issue, please remember to click Mark as Answer.

    Wednesday, June 06, 2018 11:05 AM
  • Dan, I have run that exact method and that too does not work.   I then used Import-Module ActiveDirectory as Richard suggested and that does not work.

    Yes, I run this as a user with rights.   


    mqh7

    Wednesday, June 06, 2018 12:58 PM
  • If I open up PowerShell ISE as a user with AD rights and I run this command it works:

    PowerShell.exe-NoProfile-executionpolicybypass-Command{Import-ModuleActiveDirectory; ADD-ADGroupMember"All SCCM Clients"–members$env:computername$}

    If I run the exact same command as the exact same user from within the SCCM Task Sequence it fails.   I run this command  near the end of the task sequence and it never works.   Why? 

     

    mqh7

    Wednesday, June 06, 2018 3:55 PM
  • I think the problem might be that the $env.computername environment variable is not available. You can test by hard coding a computer name. This reference:

    https://technet.microsoft.com/en-us/library/bb693541.aspx

    discusses task sequence environment variables, one of which is %_SMSTSMachineName%.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, June 06, 2018 4:18 PM
  • Hi,

    I created this script to not have to import the AD Module. It works great!

    https://ccmexec.com/2018/03/powershell-osd-scripts-to-addremove-computer-from-ad-group-and-set-ad-description/

    then you can simply add the computername as a variable to the script.

    I hope that helps!

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec


    Thursday, June 07, 2018 12:41 PM
  • ok, something is going on.  I hard coded the machine name and it still does not add it to the AD Group.  and when I run the same command outside of the task sequence it always works.   This command was run:   PowerShell.exe -NoProfile -executionpolicy bypass -Command {import-module -Name C:\windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management -verbose; Import-Module ActiveDirectory; ADD-ADGroupMember "All SCCM Clients" –members "PCName"}

    I know for a fact that the user account I'm using has full rights to add/delete machines from AD and AD Groups. why would it fail from within an SCCM task sequence? And here is the real kicker, the same command works fine from within an MDT task sequence.  We tested that and it worked.

     


    mqh7

    Thursday, June 07, 2018 2:24 PM
  • Jörgen, I used your method and it too does not work.  I think any PowerShell command I run fails.  Example:  I added this to my task sequence near the end (so Windows was up and running) 

    PowerShell.exe-NoProfile-executionpolicybypass-Command{"this is a test"|out-filec:\windows\temp\PS1End.txt}

    The .txt file never gets created.  Could something be blocking PowerShell.exe from running?  


    mqh7

    Thursday, June 07, 2018 3:22 PM