none
How to add laptops/surfaces to an AD group during SCCM task sequence RRS feed

  • Question

  • Hello,

    I'm trying to find out how to add specifically laptops and Microsoft Surface Pro's/Books to an AD security group during task sequence?

    I'm fairly new to this, so any help is much appreciated.

    Thanks

    Tuesday, August 8, 2017 9:48 AM

All replies

  • Hi,

    a PowerShell script should do the trick. In fact I put together something a while back (and borrowed heavily from Stackoverflow in the process) to accomplish just what you are looking for in MDT.

    • You should run this script under an account which has the rights to add a computer object to an AD group. Granted, this is usually more of an issue in MDT than it is in SCCM
    • The script relies on ADSI functionality, therefore there is no need to install RSAT tools on your clients.
    • Modify the value of the $GroupName variable and you should be good to go.
    <#
     
    ************************************************************************************************************************
     
    Created:    2017-05-03
    Version:    1.0
    Purpose:    PowerShell to join computer object to Active Directory Group without AD module being imported
                This finds the computer object anywhere in AD and adds it to a security group in a known location
     
    ************************************************************************************************************************
     
    #>
    
    # Determine where to do the logging 
    $logPath = "C:\temp\logs" 
    $logFile = "$logPath\$($myInvocation.MyCommand).log"
    
    # Create Log folder
    $testPath = Test-Path $logPath
    If (!$testPath)
    {
        New-Item -ItemType Directory -Path $logPath
    }
     
    # Start the logging 
    Start-Transcript $logFile
    Write-Host "Logging to $logFile"
    
    #Set variables
    $DomainName = (Get-WmiObject Win32_ComputerSystem).Domain
    $ComputerName = (Get-WmiObject Win32_ComputerSystem).Name
    $GroupName = "CN=Windows10Group,OU=Windows10,DC="europe",DC=contoso,DC=local"
    $GroupPath = "LDAP://" + $GroupName
    
    Write-Host "DomainName: $DomainName"
    Write-Host "Computername: $Computername"
    Write-Host "Groupname: $Groupname"
    Write-Host "Grouppath: $Grouppath"
    
    #Check to see if computer is already a member of the group
    $isMember = new-object DirectoryServices.DirectorySearcher([ADSI]"")
    $ismember.filter = "(&(objectClass=computer)(SamAccountName=$Computername$)(memberof=$GroupName))"
    $isMemberResult = $isMember.FindOne()
    
    Write-Host "Membership query result:"$isMemberResult.Path
    
    #If the computer is already a member of the group, just exit.
    If ($isMemberResult) {
        Write-Host "Computer is already member of the Windows 10 group. Exiting..."
        Stop-Transcript
        Exit 0
    }
    Else
    #If the computer is NOT a member of the group, add it.
    {
       Write-Host "Computer is not a member of the target Windows 10 group. Adding..."
       $searcher = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
       $searcher.filter = "(&(objectClass=computer)(SamAccountName=$Computername$))"
       $FoundComputer = $searcher.FindOne()
       $P = $FoundComputer | select path
       $ComputerPath = $p.path
       $Group = [ADSI]"$GroupPath"
       $Group.Add("$ComputerPath")
       $Group.SetInfo()
       Stop-Transcript
    }


    Blog - http://www.vacuumbreather.com / http://www.wcsaga.com

    • Proposed as answer by Anton Romanyuk Sunday, August 27, 2017 5:19 PM
    Sunday, August 27, 2017 5:19 PM