question

Techie365-5616 avatar image
0 Votes"
Techie365-5616 asked AmitaMenon-3691 edited

how do i automatically add computers to an AD security group

we have azure vm's in an autoscale group and need to ensure VM's added or removed from the given OU are automatically updating a security group

let's assume for our case we have
ou=WVD,dc=MyDomain,dc=com

security group called WVD_Hosts

is there a good script that can query whatever computer objects reside in this OU (excluding any sub ou's) and ensure those objects are added to the WVD_hosts security group?

additionally as autoscale removes any objects, the script needs to also remove them from the security group

windows-active-directoryazure-virtual-desktop
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered AndreasBaumgarten commented

Hi @Techie365-5616 ,

this might help to get started. The Script is not tested so far and on your own risk!

 $ou = 'ou=WVD,dc=MyDomain,dc=com'
 $grp = "WVD_Hosts"
    
 # Add computer to group
 Get-ADComputer -SearchBase $ou -Filter * -SearchScope OneLevel | % {Add-ADGroupMember $grp -Members $_.DistinguishedName }
    
 # Remove computer from group
 $grpMembers = Get-ADGroupMember -Identity $grp
 foreach ($member in $grpMembers)
     {
         if ($member.DistinguishedName -notlike "*$ou")
         {
         Remove-ADGroupMember $grp -Members $member.DistinguishedName
         }
     }


(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AndreasBaumgarten thank you! that was very helpful and we successfully ran the script to add machines. I'll keep an eye out in the coming weeks as autoscale removes vm's and see if it successfully removes members but don't see why it wouldn't.

we also created a task on domain controller to invoke the script twice during the times autoscale tends to make changes.

0 Votes 0 ·

Hi @Techie365-5616 ,

thanks for the feedback.


Kind regards
Andreas Baumgarten

0 Votes 0 ·

can you please look at the script from IanXue and advise on differences to what you proposed?

0 Votes 0 ·
Show more comments
IanXue-MSFT avatar image
0 Votes"
IanXue-MSFT answered Techie365-5616 commented

Hi,

Does this work for you?

 $ou ='OU=WVD,DC=MyDomain,DC=com'
 $group = 'WVD_Hosts'
 Get-ADComputer -Filter * -SearchBase $ou -SearchScope 1 | ForEach-Object{
     Add-ADGroupMember -Identity $group -Members $_
 }
 Get-ADGroupMember -Identity $group | Where-Object {
     ($_.objectClass -eq 'computer') -and ($_.distinguishedName -notmatch $ou)} | ForEach-Object {
     Remove-ADGroupMember -Identity $group -Members $_ -Confirm:$false}

Best Regards,
Ian Xue
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

thank you for sharing, can you help elaborate how this logic is different from the prior script above?

0 Votes 0 ·