Add one computer object to many AD groups

(Last updated on February 15, 2019)

I recently visited a Specops Deploy customer that was migrating from Windows 7 to Windows 10.  As a part of the preparations, they went through their Deploy App targets to make sure that the correct application would be rolled out to the new Windows 10 machines.

Since they had only used Windows 7, they were using a single target based on the computer OU in Active Directory. In other words, all standard application deployments on the same target. Going forward, they wanted to split everything into one target for each deployment, and all targets based on a security group in AD.

This was easily done using Specops Deploy App. We simply exported all Deployments and associated computer names, and put the computers in the newly created security groups. Afterwards, we changed the target for each deployment from the old OU-based target to the new targets based on security groups.

This will of course make the pre-staging of new computers a bit more time consuming as you will need to make the computer a member of the security groups so that the applications can be installed.

Here is a script you can use to make a computer account a member of many security groups. It uses a text file that contains all the security group names.

function Add-ComputerToGroups {
[CmdletBinding()]
param(

    [Parameter(Mandatory=$true)]
    [ValidateNotNullOrEmpty()]
    [string]$ComputerName,

    [Parameter(Mandatory=$true)]
    [ValidateNotNullOrEmpty()]
    [string]$FileNameWithGroupNames
)

    if ($Host.Name -eq 'Windows PowerShell ISE Host')
    {
      $Host.PrivateData.ErrorForegroundColor = 'Pink'
    }
    if ($Host.Name -eq 'ConsoleHost')
    {
      $Host.PrivateData.ErrorForegroundColor = 'Cyan'
    }


    # Stop the script if an error occurs
    $ErrorActionPreference = 'Stop'

    # Show messages with Write-Verbose
    $VerbosePreference = 'Continue'

    Write-Verbose "Getting computer $ComputerName"
    $computer = Get-ADComputer $ComputerName
    Write-Verbose "Found computer $ComputerName"

    Get-Content $FileNameWithGroupNames | where { -not [string]::IsNullOrEmpty($_) } | foreach {
        Write-Verbose "Getting group $_"
        Add-ADGroupMember $_ $computer.DistinguishedName
        Write-Verbose "Adding $ComputerName to group $_ succeeded"
    }

}

Add-ComputerToGroups -ComputerName 'CLIENT17' -FileNameWithGroupNames 'C:\Temp\Groups.txt'

The text file Groups.txt should only have the security group name in it, one name per line with no comma or other separation character.

Happy Deployment!

Tags: , , , ,

Written by

Mikael Ingelin

Product Specialist, Specops Software

More Articles
Back to Blog