none
move AD Security groups from old pc to a replacement pc. RRS feed

  • Question

  • I have a frequent task which is to decommission an old pc and move its security groups and software AD groups to a new replacement pc so that the new pc gets the appropriate software deployed to it via sccm.

    Am I right in thinking I could use move-adcomputer to achieve this task?

    Wednesday, July 30, 2014 1:32 AM

Answers

  • Hi,

    I think this is what you're after:

    $oldComputerName = '2012R2P'
    $newComputerName = 'XP'
    
    $groups = (Get-ADComputer -Identity $oldComputerName -Properties memberOf).memberOf
    
    foreach ($group in $groups) {
    
        Add-ADGroupMember -Identity $group -Members (Get-ADComputer -Identity $newComputerName).SamAccountName -WhatIf
    
        Remove-ADGroupMember -Identity $group -Members (Get-ADComputer -Identity $oldComputerName).SamAccountName -Confirm:$false -WhatIf
    
    }

    Remove the -WhatIfs if you're happy with the initial output.


    Don't retire TechNet! - (Don't give up yet - 12,950+ strong and growing)

    Wednesday, July 30, 2014 3:40 AM

All replies

  • No - you need to do a full deployment.

    Type:  "help Move-AdObject -full" and read the details.

    There is no such command as Move_ADComputer.

    Always use help first then search with your search engine.  It will help prevent you from asking bad questions.


    ¯\_(ツ)_/¯

    Wednesday, July 30, 2014 1:44 AM
  • This is usually a scenario where one would reset the computer account and join its replacement computer to the domain using the existing account.

    (Search for "reset computer account" for more information.)


    -- Bill Stewart [Bill_Stewart]

    • Proposed as answer by jrv Wednesday, July 30, 2014 11:53 AM
    Wednesday, July 30, 2014 2:19 AM
    Moderator
  • Yes sorry typo...I was meaning to type move-Adobject.  And yes I did already look at the full help and saw the examples.

    What I currently do is fire up AD and read what security groups the old computer is in and then open up the new pc in AD and then apply the security groups one by one so they match up and then delete the security groups from the old machine.

    I expect there is a faster way to apply the same security groups to the pc as I know this is possible with applying the same security groups to a user based on what another user has.

    Wednesday, July 30, 2014 2:56 AM
  • Hi,

    I think this is what you're after:

    $oldComputerName = '2012R2P'
    $newComputerName = 'XP'
    
    $groups = (Get-ADComputer -Identity $oldComputerName -Properties memberOf).memberOf
    
    foreach ($group in $groups) {
    
        Add-ADGroupMember -Identity $group -Members (Get-ADComputer -Identity $newComputerName).SamAccountName -WhatIf
    
        Remove-ADGroupMember -Identity $group -Members (Get-ADComputer -Identity $oldComputerName).SamAccountName -Confirm:$false -WhatIf
    
    }

    Remove the -WhatIfs if you're happy with the initial output.


    Don't retire TechNet! - (Don't give up yet - 12,950+ strong and growing)

    Wednesday, July 30, 2014 3:40 AM
  • Bill's answer is easier.


    ¯\_(ツ)_/¯

    Wednesday, July 30, 2014 11:54 AM
  • I recommend resetting the computer account to retain the same SID, security group membership, etc.

    -- Bill Stewart [Bill_Stewart]

    Wednesday, July 30, 2014 1:41 PM
    Moderator