none
PS that adds computers in OU to a domain group RRS feed

  • Question

  • hello - I've been asked to script the following:

    If computer(s) added to an OU (and sub OU's) auto add to domain\groupx.

    What would that look like?

    Tuesday, October 11, 2016 1:08 PM

Answers

  • This is called a "Shadow" group, a dynamic group that includes all users in a specified OU. You need a script to run periodically to update the group, perhaps a scheduled task. The script should add any users not in the group but in the OU, and also remove any members of the group that are no longer in the OU. This is a common request, so I published a PowerShell script for this purpose in the TechNet Gallery here:

    https://gallery.technet.microsoft.com/Update-Shadow-Group-with-9ee6336f

    The script does all the necessary checks, and only updates the group if there are new members or members that must be removed. The adds and removes are done in bulk for efficiency. The script also writes a detailed log, so you have a record of what was done. And the script can be run in a test mode, where the group is not updated, but it logs what would be done. This is valuable to check that the script will do what you intend. This is all explained in the link above.

    Edit: Sorry, I just noticed that you are dealing with computers rather than users. No problem. The script I linked can still be used. Just replace the three instances in the script of "Get-ADUser" with "Get-ADComputer". That is the only modification needed in your case. All the variable names can stay the same. Even the reference to userAccountControl, to determine if the account is enabled, is exactly the same for computer objects. If you want, you can modify the Add-Content and Write-Host statements to replace "user" with "computer", but it is not necessary.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Tuesday, October 11, 2016 2:03 PM
    Moderator
  • The -Members parameter is mandatory.


    EDIT: Here's the short way:


    Add-ADGroupMember -Identity 'Test Group 1' -Members (Get-ADComputer -Filter * -SearchBase 'OU=AAAA,OU=BBBB,OU=CCCC,DC=DOMAIN,DC=LOCAL')


    • Edited by Mike Laughlin Tuesday, October 11, 2016 5:52 PM
    • Marked as answer by jamicon Tuesday, October 11, 2016 6:21 PM
    Tuesday, October 11, 2016 5:19 PM

All replies

  • You can use these:

    http://ss64.com/ps/get-adcomputer.html

    http://ss64.com/ps/add-adgroupmember.html


    EDIT: There's an example here, but it's for users. You'd need to adjust it to work on computer objects instead of users.

    https://gallery.technet.microsoft.com/scriptcenter/Update-Shadow-Group-with-9ee6336f


    Tuesday, October 11, 2016 1:11 PM
  • THE TASK

    Assign all members of an Organizational Unit (OU) to a Security Group automatically, without manual intervention. This will not be a real-time sync, but this group should reflect the current OU user list within a reasonable time frame (for example: every 24 hours).

    PREREQUISITES

    The PowerShell script requires access to the Active Directory cmdlets for PowerShell.

    Run this command in PowerShell to install the cmdlets:

    Import-Module ActiveDirectory

    7-day free trial

    If that doesn’t work, you will need to follow these instructions.

    THE POWERSHELL SCRIPT

    $OU="OU=TheOUName,DC=yourdomain,DC=com"

    $ShadowGroup="CN=ShadowGroupName,OU=TheOUName,DC=yourdomain,DC=com"

    Get-ADGroupMember –Identity $ShadowGroup | Where-Object {$_.distinguishedName –NotMatch $OU} | ForEach-Object {Remove-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup –Confirm:$false}

    Get-ADUser –SearchBase $OU –SearchScope OneLevel –LDAPFilter "(!memberOf=$ShadowGroup)" | ForEach-Object {Add-ADPrincipalGroupMembership –Identity $_ –MemberOf $ShadowGroup}

    HOW IT WORKS

    First you set the variables. — $OU defines the “distinguishedName” of the organization unit. You can find the distinguishedName in the Attribute Editor tab in the properties of the OU. Make sure you are in “Advanced Features” view in Active Directory Users and Computers. This is set in the View menu. — $ShadowGroup defines the distinguishedName of the Security Group you intend to use as your “shadow group.” This group MUST EXIST before you run the PowerShell script.

    The Get-ADGroupMember portion of the script will parse all existing users who are a member of the “shadow group” and remove users who no longer are in the OU. The Get-ADUser portion of the script will parse all users in the OU and add them to the “shadow group.”

    After you run the script, your shadow group user membership will be identical to the OU user membership.

    RUN IT AUTOMATICALLY

    I did say this process would not require manual intervention and for that to be true you need to schedule this PowerShell script to run via Task Scheduler. You can copy the above script, paste it into a text file with a “ps1” file extension, and edit it for your environment. You can run this scheduled task on a domain controller, although it is typically frowned upon to run scripts on DCs. So you might want to pick another domain member server for this task. How often the task runs will depend on your environment. In most cases every 24 hours is fine, but if you need something that is closer to real-time, you might need to schedule it to run every hour (or less).

    Below is an example Action on a scheduled task to run a PowerShell script on a Windows 2008 Server.

    Action: Start a program

    Program/script: C:\Windows\system32\windowspowershell\v1.0\powershell.exe

    Add arguments (optional): -command C:\scripts\shadow-group.ps1

    Tuesday, October 11, 2016 1:22 PM
  • This is called a "Shadow" group, a dynamic group that includes all users in a specified OU. You need a script to run periodically to update the group, perhaps a scheduled task. The script should add any users not in the group but in the OU, and also remove any members of the group that are no longer in the OU. This is a common request, so I published a PowerShell script for this purpose in the TechNet Gallery here:

    https://gallery.technet.microsoft.com/Update-Shadow-Group-with-9ee6336f

    The script does all the necessary checks, and only updates the group if there are new members or members that must be removed. The adds and removes are done in bulk for efficiency. The script also writes a detailed log, so you have a record of what was done. And the script can be run in a test mode, where the group is not updated, but it logs what would be done. This is valuable to check that the script will do what you intend. This is all explained in the link above.

    Edit: Sorry, I just noticed that you are dealing with computers rather than users. No problem. The script I linked can still be used. Just replace the three instances in the script of "Get-ADUser" with "Get-ADComputer". That is the only modification needed in your case. All the variable names can stay the same. Even the reference to userAccountControl, to determine if the account is enabled, is exactly the same for computer objects. If you want, you can modify the Add-Content and Write-Host statements to replace "user" with "computer", but it is not necessary.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Tuesday, October 11, 2016 2:03 PM
    Moderator
  • what am I doing wrong?

    import-module activedirectory
    Get-ADComputer -SearchBase "OU=AAAA,OU=BBBB,OU=CCCC,DC=DOMAIN,DC=LOCAL" -Recursive | Add-ADGroupMember -Identity GROUPX

    Tuesday, October 11, 2016 4:11 PM
  • The -Members parameter is mandatory.


    EDIT: Here's the short way:


    Add-ADGroupMember -Identity 'Test Group 1' -Members (Get-ADComputer -Filter * -SearchBase 'OU=AAAA,OU=BBBB,OU=CCCC,DC=DOMAIN,DC=LOCAL')


    • Edited by Mike Laughlin Tuesday, October 11, 2016 5:52 PM
    • Marked as answer by jamicon Tuesday, October 11, 2016 6:21 PM
    Tuesday, October 11, 2016 5:19 PM
  • this looks exactly like what I need, and more. But how does it know where to look?
    • Edited by jamicon Tuesday, October 11, 2016 5:53 PM
    Tuesday, October 11, 2016 5:53 PM
  • The computers are retrieved from the SearchBase. The group is uniquely identified by the sAMAccountName (pre-Windows 2000 name) of the group. The sAMAccountName if often the same as the Name (Relative Distinguished Name or RDN), except it is unique in the domain, while RDN may not be.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Tuesday, October 11, 2016 6:10 PM
    Moderator
  • I ran this, pretty kewl thank you, however it returned ZERO computers, I know there are many that are not in the group.

    Any idea what I did wrong, pretty straight forward.

    here is why "Include computers in child OUs: False"

    I will try again :-)

    • Edited by jamicon Tuesday, October 11, 2016 6:21 PM
    Tuesday, October 11, 2016 6:15 PM
  • thank you and everyone for your great help
    Tuesday, October 11, 2016 6:21 PM
  • At the beginning of the script is a configuration section where you must specify values specific to your situation. It looks like you left $Update = $False. Is $OUDN the distinguished name of the OU where the computers reside? If the computers are in child domains, then assign $True to $ChildOUs. $GroupDN must be the full distinguished name of the group. $Server must be the DNS name of a DC that supports the AD modules.

    But you should have gotten an error message if any of these values were invalid. The only explanation I can think of is that the computers are not in the OU you specified. Check the log file, which documents all of the parameters used by the script.

    Ah, I just saw your update.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Tuesday, October 11, 2016 6:41 PM
    Moderator