locked
with a twist RRS feed

Answers

  • The complete script would be as follows:

    Add-ADGroupMember -Identity 'XXXX_GROUP ' -Members (Get-ADComputer -Filter {memberOf -ne "cn=AAAA_Group,ou=West,dc=domain,dc=local"} -SearchBase 'OU=Computers,OU=Company,DC=domain,DC=local')

    The filter I added to the script (that you said works) just makes sure that computers that are members of the group are not included.

    Edit: As I noted, you must specify the full distinguished name of the group in the filter.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    • Edited by Richard MuellerMVP Wednesday, October 12, 2016 4:58 PM
    • Marked as answer by jamicon Wednesday, October 12, 2016 6:44 PM
    Wednesday, October 12, 2016 4:58 PM

All replies

  • Do you mean you want to check if the computer object is a member of any group nested in the shadow group? So the computer is already a member due to group nesting? If so, you can use the LDAP_MATCHING_RULE_IN_CHAIN feature available on domain controllers with Windows Server 2003 SP2 or above. You would replace:

    $Filter = "(!(memberOf=$GroupDN))" 

    with the following:

    $Filter = "(!(memberOf:1.2.840.113556.1.4.1941:= 
    $GroupDN))"

    There are two places in the script I linked where this LDAP syntax filter would be used. The first statement is the one above. The other is the following:

    $Members = Get-ADUser -LDAPFilter "(memberOf=$GroupDN)" ` 
            -Server $Server | Select distinguishedName, Enabled 
    

    where this must be modified in a similar manner, so it becomes:

    $Members = Get-ADUser -LDAPFilter "(memberOf:1.2.840.113556.1.4.1941:=$GroupDN)" ` 
            -Server $Server | Select distinguishedName, Enabled 
    

    This syntax walks the hierarchy of groups so that it reveals nested group memberships. The above retrieves all users that are direct members of the group, plus members of any nested groups that are members of the group.

    If I miss understand, and you are not interested in taking group nesting into account, then try to explain again.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, October 11, 2016 9:55 PM
  • HI Richard, thank you for your help.

    This works as expected:

    Add-ADGroupMember -Identity 'XXXX_GROUP ' -Members (Get-ADComputer -Filter * -SearchBase 'OU=Computers,OU=Company,DC=domain,DC=local')

    I was wondering if I could say:

    if computer is a member of AAAA_Group then got to end. Make no changes.


    or maybe except if statement?
    • Edited by jamicon Wednesday, October 12, 2016 2:25 PM
    Wednesday, October 12, 2016 2:24 PM
  • No need for an If statement. You can use a filter in the Get-ADComputer statement to exclude computers that are members of the group. You must specify the full distinguished name of the group in the filter. In place of -Filter *, you would use something similar to below:

    Get-ADComputer -Filter {memberOf -ne "cn=AAAA_Group,ou=West,dc=domain,dc=local"} -SearchBase 'OU=Computers,OU=Company,DC=domain,DC=local'


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    • Edited by Richard MuellerMVP Wednesday, October 12, 2016 2:56 PM
    • Marked as answer by jamicon Wednesday, October 12, 2016 3:58 PM
    • Unmarked as answer by jamicon Wednesday, October 12, 2016 4:04 PM
    Wednesday, October 12, 2016 2:56 PM
  • where does this go? Before or after my current code?
     I thought it required -Members?

    if computer is a member of x then skip, if not member of X then add to Y

    • Edited by jamicon Wednesday, October 12, 2016 4:08 PM
    Wednesday, October 12, 2016 4:04 PM
  • The complete script would be as follows:

    Add-ADGroupMember -Identity 'XXXX_GROUP ' -Members (Get-ADComputer -Filter {memberOf -ne "cn=AAAA_Group,ou=West,dc=domain,dc=local"} -SearchBase 'OU=Computers,OU=Company,DC=domain,DC=local')

    The filter I added to the script (that you said works) just makes sure that computers that are members of the group are not included.

    Edit: As I noted, you must specify the full distinguished name of the group in the filter.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    • Edited by Richard MuellerMVP Wednesday, October 12, 2016 4:58 PM
    • Marked as answer by jamicon Wednesday, October 12, 2016 6:44 PM
    Wednesday, October 12, 2016 4:58 PM
  • u are the MASTER
    Wednesday, October 12, 2016 6:44 PM