What is the best way to add any workstation added to an OU to a Security Group

This topic contains 2 replies, has 3 voices, and was last updated by Profile photo of Rob Simmers Rob Simmers 1 year, 4 months ago.

  • Author
  • #26395
    Profile photo of Kelly Farrell
    Kelly Farrell

    I'm trying to link the GPO at the Workstations OU where I call this powershell script in the Computer Section of the GPO but it doesn't seem to want to run and I don't see any errors why it's not running. I can get this script to run on one of our servers as a scheduled task but the department that needs this doesn't like doing it that way. It does take a long time also for the computer to finally show up in the security group, not sure if that's normal I would think it would be quicker like less than 2 minutes but it seems to take like 30 minutes or so.

    $ErrorActionPreference = "silentlycontinue"
    Get-ADComputer -SearchBase 'OU=Lab Manager,OU=Dresher,OU=Workstation,OU=Retirement Computers,DC=rsd,DC=crumprsd,DC=com' -Filter * -SearchScope OneLevel | % {Add-ADGroupMember 'GPO-LOCAL-ADMIN-EXCP' -Members $_.DistinguishedName}

  • #26398
    Profile photo of Paul Johnston
    Paul Johnston

    Can I ask what way they do want the script to run? As in, what is the end goal here?

    As for the computer account taking a while to show up in the security group, that sounds more like AD replication than the script actually taking 30 minutes to complete.

  • #26399
    Profile photo of Rob Simmers
    Rob Simmers

    If every computer in the OU is getting a GPO, then why not just link the GPO to the OU versus creating a group and delegating permission to a policy to do an exclusion?

    To answer your question, if you look at the help it indicates the Add-ADGroupMember -Member switch is looking for a string array (string[]) of ADPrincipal[]. So, you can try this:

    Add-ADGroupMember 'GPO-LOCAL-ADMIN-EXCP' -Members ( Get-ADComputer -SearchBase 'OU=Lab Manager,OU=Dresher,OU=Workstation,OU=Retirement Computers,DC=rsd,DC=crumprsd,DC=com' -Filter * -SearchScope OneLevel )

    Before you run the above, to test I would change the -Filter to a single computer and ensure it gets added to the group. Most of the examples I see are using .Name, not distinguished name. So, you can update your code to reflect .Name or if you try the code above and add something like below to make it an array of names passed to -Members

    ... -SearchScope OneLevel  | Select -ExpandProperty Name

You must be logged in to reply to this topic.