2

I'm trying to set up my task sequence for SCCM to automatically add laptops to 3 Active Directory groups. I've set up a step to do this and am calling upon a Powershell script to do so. The script should be run as a network admin so I don't believe I'm having any issues with authorization however I am super new to Powershell so I believe my issue is with my syntax. My script is simple enough and all of the resources I look at seem to overcomplicate Powershell for what I need to do. Here is my script:

ADD-ADGroupMember "GroupOne" -members "$env:computername$"
ADD-ADGroupMember "GroupTwo" -members "$env:computername$"
ADD-ADGroupMember "GroupThree" -members "$env:computername$"

The $env:computername is supposed to automatically gather the computer's name which is established earlier in the task sequence and the $ following it is required to add using powershell, I've found.

Any help on this would be very much appreciated.

EDIT: I've got it working finally, below is the code I've found and used for one of the powershell scripts -

 $ComputerName = gc env:computername

 $isMember = new-object DirectoryServices.DirectorySearcher([ADSI]"")
 $ismember.filter = “(&(objectClass=computer)(sAMAccountName=$Computername$)(memberof=CN=<CN NAME>,OU=<OU NAME>,DC=<DC NAME>,DC=<DC NAME>))”
 $isMemberResult = $isMember.FindOne()

 If ($isMemberResult) {exit}

 else
{
   $searcher = new-object DirectoryServices.DirectorySearcher([ADSI]"")
   $searcher.filter = “(&(objectClass=computer)(sAMAccountName= $Computername$))”
   $FoundComputer = $searcher.FindOne()
   $P = $FoundComputer | select path
   $ComputerPath = $p.path
   $GroupPath = "LDAP://CN=<CN NAME>,OU=<OU NAME>,DC=<DC NAME>,DC=<DC NAME>"
   $Group = [ADSI]"$GroupPath"
   $Group.Add("$ComputerPath")
   $Group.SetInfo()
}
Slytherquinn
  • 23
  • 1
  • 4
  • One thought is that `Add-ADGroupMember` is a AD cmdlet installed with RSAT. Does the machine that is running this have RSAT installed so that it has the AD Cmdlets? – BenH May 15 '17 at 18:36
  • I would recommend updating the question to include any error messages you have received; without that, we can't be sure that you're correct about your problem being 'syntax'. – Jeff Zeitlin May 16 '17 at 11:31
  • 1
    @BenH I thought that this was already a part of the package but it actually looks like it wasn't. So right now I'm working on running a script that doesn't use AD cmdlets – Slytherquinn May 16 '17 at 17:21

2 Answers2

1

Instead of trying to compose the computer's account name from an environment variable, and then using that to add to the group, simply get the computer object from Active Directory:

$Computer = Get-ADComputer -Identity $env:ComputerName
foreach ($Group in @("GroupOne", "GroupTwo", "GroupThree")) {
    Add-ADGroupMember -Identity $Group -Members $Computer
}
Jeff Zeitlin
  • 9,773
  • 2
  • 21
  • 33
  • Thanks for your answer! I have a computer booting up now. I'll let you know if I'm successful! – Slytherquinn May 15 '17 at 20:22
  • Thanks for your help! Turns out the user that was "running" my scripts did not have sufficient access to add a computer to AD OUs. I also did not have the AD cmdlets in the package associated with the step. What I did instead was I ran a bat file which contained: powershell.exe -executionpolicy bypass -file "%~dp0addToGroup1.ps1" powershell.exe -executionpolicy bypass -file "%~dp0addToGroup2.ps1" powershell.exe -executionpolicy bypass -file "%~dp0addToGroup3.ps1" The ~dp0 portion evidently is used with the execution policy to ensure that the file is being pulled -- – Slytherquinn May 18 '17 at 15:28
  • -- from the "current" directory (where my powershell scripts were located). My powershell script will have to be added as an answer so look on this page for that. – Slytherquinn May 18 '17 at 15:30
0

Since you mentioned that you didn't have the AD cmdlets available. Here's how you could do it with ADSI:

$filter = "(&(objectCategory=computer)(objectClass=computer)(cn=$env:COMPUTERNAME))"
$ComputerDN = ([adsisearcher]$filter).FindOne().Properties.distinguishedname

$GroupName = "GroupOne"
$filter = "(&(objectClass=Group)(cn=$GroupName))"
$GroupDN = ([adsisearcher]$filter).FindOne().Properties.distinguishedname
$Group = [adsi]"LDAP://$GroupDN"

$Group.Add($ComputerDN)

$GroupName = "GroupTwo"
$filter = "(&(objectClass=Group)(cn=$GroupName))"
$GroupDN = ([adsisearcher]$filter).FindOne().Properties.distinguishedname
$Group = [adsi]"LDAP://$GroupDN"

$Group.Add($ComputerDN)

$GroupName = "GroupThree"
$filter = "(&(objectClass=Group)(cn=$GroupName))"
$GroupDN = ([adsisearcher]$filter).FindOne().Properties.distinguishedname
$Group = [adsi]"LDAP://$GroupDN"

$Group.Add($ComputerDN)

If you have any more groups, it would probably worth turning into a function.

Just make sure that whatever user context is running this has rights to add members to that group.

BenH
  • 9,766
  • 1
  • 22
  • 35