Archive | Active Directory

Add AD Users in a specific department to an AD Group

I received a question, the other day, if there is a way to automate for AD users, in a specific department, to be added to an AD group.  The following script answers the question and can be put into Orchestrator or as a Task Scheduler for automate that.

The script will find all users that have their AD attribute department set to “IT” and put them in the AD group “IT Admins”.

To be able to use the script you need to have the AD PowerShell module installed.

 

0

Copy OU structure from one domain to another domain

Sometimes I have the need to copy the organizational units (OU) structure from one domain to another. This is one way to do it with PowerShell.

Start off by getting all the OUs that is going to be copied from one domain to the other and put them into a text file. Below is one way to do it.

Open the file an do a “search and replace” and change the “DC=LAB,DC=SE” to fit the domain to copy to.

Copy the changed file to the folder C:\temp on a server with the “activedirectory” PowerShell module installed.

When this is done run the following PowerShell script to add the OUs.

 

0

PowerShell script to copy group membership from one computer to another

When using Active Directory groups, with computers in, to deploy applications in SCCM it can sometimes be useful to copy group membership from one computer to another. This can be useful if a user change computer but is going to continue having the same applications.

The script below will copy the group membership from one computer to another.

To use the script do this:

  1. Copy the script below to a file and save the file to CopyComputerMembership.ps1
  2. Run the script on a computer with the PowerShell module ActiveDirectory installed and make sure that you have access to move the group membership.
  3. Run the script like this: CopyComputerMembership.ps1 -FromComputer <computername> -ToComputer <computername>

Param(
    [Parameter(Mandatory=$True)]
    [String] $FromComputer,
    [Parameter(Mandatory=$True)]
    [String] $ToComputer
)
Process
{
    Import-Module ActiveDirectory
    $ToClient = Get-AdComputer -Identity $ToComputer
    $FromClient = Get-ADComputer -Identity $FromComputer -Properties MemberOf
    Foreach ($Group in $Client.MemberOf)
    {
        $GroupObj = Get-ADGroup -Identity $Group
        Add-ADGroupMember -Identity $GroupObj -Members $ToClient
    }
}

5

Delete AD Group when application is removed or retired in Configuration Manager 2012 with Orchestrator

When using Active Directory (AD) application groups for deploying applications in Configuration Manager (SCCM) it might be nice to get the groups removed automatically when removing or putting the applications to the status retire in SCCM. The following example will do exactly that.

There is a few prerequisites for getting this to work with this solution. First the application groups in AD needs to have the PackageID in their names. This to be sure that the application group in AD corresponds to the right application in SCCM.

Other prerequisites is that the Integration Pack “Execute PowerShell Script” is installed on the Runbook server and that WinRM is enabled on the SCCM 2012 server.

To remove the application groups two Runbooks has been created. One that removes the application groups for the expired SCCM applications and one that removes the application groups for deleted SCCM applications.

Below the two Runbooks are presented together with some explanations.

Delete AD Application Group for Expired SCCM Application
This Runbook will delete the AD application groups for the expired applications in SCCM 2012.

 Delete AD Group when application is removed or retired in Configuration Manager 2012 with Orchestrator1

Activities information
Below one can see screenshots of the Activities.

Delete AD Group when application is removed or retired in Configuration Manager 2012 with Orchestrator2
PS Scipt 01
Import-Module “C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1”;
Set-Location P01:
Get-CMApplication | Select-Object -Property LocalizedDisplayName, PackageID, IsExpired | % {if ($_.IsExpired -eq $True) {$_.PackageID +”,”+ $_.LocalizedDisplayName}} 

Delete AD Group when application is removed or retired in Configuration Manager 2012 with Orchestrator3

Delete AD Group when application is removed or retired in Configuration Manager 2012 with Orchestrator4

Delete AD Group when application is removed or retired in Configuration Manager 2012 with Orchestrator5

Delete AD Application Group for Removed SCCM Application
This Runbook will delete the AD Application Groups for the Removed Applications in SCCM 2012.

 Delete AD Group when application is removed or retired in Configuration Manager 2012 with Orchestrator6

Activities information
Below one can see screenshots of the Activities.

Delete AD Group when application is removed or retired in Configuration Manager 2012 with Orchestrator7

Delete AD Group when application is removed or retired in Configuration Manager 2012 with Orchestrator8

Delete AD Group when application is removed or retired in Configuration Manager 2012 with Orchestrator9

Delete AD Group when application is removed or retired in Configuration Manager 2012 with Orchestrator10

0

Generate Active Directory group with Orchestrator when new Configuration Manager 2012 Application is created

This is an example on how to automate creation of Active Directory (AD) groups with Orchestrator based on the Applications that are created in System Center Configuration Manager (SCCM). The Runbook will also rename the AD group if the application is renamed in SCCM.

This is the first Runbook in a series of Runbooks that will automate creation and deletion of AD groups and Collections in SCCM based on SCCM application administration.

Prerequisites for this Runbooks are that the Integration Pack “Execute PowerShell Script” is installed on the Runbook server and that WinRM is enabled on the SCCM 2012 server.

The Runbook

Generate AD group with SCO when new SCCM 2012 Application is created1

The Runbook will connect to SCCM with WinRM and get all applications that exist in SCCM, except the ones that are in the state expired. It will then see if the group already exist at the activity “Get Groups that contains CM ID”. It does so by checking if the SCCM Package ID exist in any AD group name. If the group does not exist in AD it will create it with the activity “Create Group”.

If the group exist the activity “Get Groups with SAMAccountName” will be ran to see if the name is the same as before. If not the group will be renamed.

Runbook breakdown

Generate AD group with SCO when new SCCM 2012 Application is created2

Command: PS Script 01

Import-Module “C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1”;
Set-Location P01:
Get-CMApplication | Select-Object -Property LocalizedDisplayName, PackageID, IsExpired | % {If ($_.IsExpired -eq $False) {$_.PackageID +”,”+ $_.LocalizedDisplayName}}

Generate AD group with SCO when new SCCM 2012 Application is created3 Generate AD group with SCO when new SCCM 2012 Application is created4 Generate AD group with SCO when new SCCM 2012 Application is created5 Generate AD group with SCO when new SCCM 2012 Application is created6 Generate AD group with SCO when new SCCM 2012 Application is created7 Generate AD group with SCO when new SCCM 2012 Application is created8 Generate AD group with SCO when new SCCM 2012 Application is created9 Generate AD group with SCO when new SCCM 2012 Application is created10

0