Trouble adding computer object to GPO security filter

Welcome Forums General PowerShell Q&A Trouble adding computer object to GPO security filter

This topic contains 1 reply, has 1 voice, and was last updated by

 
Participant
3 weeks, 5 days ago.

  • Author
    Posts
  • #179289

    Participant
    Topics: 27
    Replies: 28
    Points: 151
    Rank: Participant

    I am working on a larger script to spin up new servers in VMWare for a customer. I have a function for adding the object to the correct OU in A.D. and, based on the type of server, adding it to the security filter on a GPO. The problem I am encountering is the GPOs all live in the parent domain, but occasionally the addition fails if the server is from the child domain. The object creation is straightforward and always works:

    $Name = newServerName
    $sDomain = child.domain.com
    New-ADComputer -Name $Name -Server $sDomain -Path $sOU -Description $Description
    

    The second piece, if the server meets the criteria, is something like this:

    $oGPO = Get-GPO -Name $GPO -Domain "parent.domain.com"
    Set-GPPermissions -Name $oGPO.DisplayName -PermissionLevel GpoApply -TargetName $Name -TargetType Computer -DomainName $sDomain
    

    About 90% of the time the addition to the GPO security filter fails. The error is: "The operation cannot be completed because "serverName$" is not a valid computer in the parent.domain.com domain". So it is looking for the computer object in the parent domain, not the child. However, if I run it again immediately, with the object now created in A.D., it always goes through just fine. I have attempted to add a sleep, or a while loop until Get-ADComputer returns the computer object, but the addition still fails. I also tried using the machine's FQDN, but the error comes back "serverName.child.domain.com$ is not a valid computer in the parent.domain.com domain" Just curious if there is something else I can try.

  • #179310

    Participant
    Topics: 27
    Replies: 28
    Points: 151
    Rank: Participant

    I did confirm that if I create the computer object, then go through the rest of the server build script, then try to add it to the security filter, it works much more often. I would love to find a solution that doesn't require breaking up the function, however.

You must be logged in to reply to this topic.