widsnet.com
29Nov/110

Migrate direct collection membership to AD group

Another powershell script. This one takes computers with direct membership in a collection and adds them to a AD group. Run it a second time and it removes the direct membership in the collection if the computer is a member of the AD group and if ConfigMgr knows that through AD discovery.

Import-Module ActiveDirectory
$SMSServer = "server1"
$SMSNamespace = "root\sms\site_SMS"
$SLA0 = ("C01000C8", "EntSCCM_SLA0") #AnyTime
$SLA2 = ("C0100060", "EntSCCM_SLA2") #Sunday
$SLA3 = ("C0100061", "EntSCCM_SLA3") #NoWindow
$colGroupArr = @($SLA0, $SLA2, $SLA3)

# If computer is a direct member of the collection we add it to the AD group.
# If the computer is a member of the AD group, and SCCM knows that, the direct membership is removed.
$colGroupArr | ForEach-Object {
    $Col, $Group = $_
    Write-Host Migrating computers from collectionID $col to AD group $Group
    $ADGroup = Get-ADGroup $Group
    # Get a SMS_Collection object to be able to use DeleteMembershipRule
    $delCol = get-wmiobject -query "select * from SMS_Collection where CollectionID = '$col'" -computername $SMSServer -namespace $SMSNamespace
    $delCol.Get()
    # Get all members of the collection
    get-wmiobject -query "select * from SMS_CM_RES_Coll_$Col" -computername $SMSServer -namespace $SMSNamespace |
    Sort-Object -property Name |
    Where-Object {$_.IsDirect -eq $True} |
    ForEach-Object {
        Clear-Variable ADComputer
        $ComputerName = $_.Name
        # Get the computer object from AD with Try-Catch so we do not get any errors printed out
        try {$ADComputer = Get-ADComputer $ComputerName -property memberOf}
        catch {Write-Host $ComputerName was not found in AD}
        If ($ADComputer.memberOf -eq $ADGroup.DistinguishedName) {
            # The computer is a member of the AD group. Check if ConfigMgr has discovered that
            $ADGroupSAM = $ADGroup.GroupScope.ToString() +'\\'+ $ADGroup.SamAccountName.ToString()
            $inGroup = get-wmiobject -query "select * from sms_r_system where name='$ComputerName' and systemgroupname='$ADGroupSam'" -computername $SMSServer -namespace $SMSNamespace
            If ($inGroup -ne $null) {
                # The computer is in group and ConfigMgr knows it so remove the direct membership
                Write-Host $ComputerName is a member of $ADGroup.SamAccountName so removing it from collection $delcol.Name
                $delCol.CollectionRules |
                Where-Object {$_.RuleName -eq $ADComputer.Name -And $_.__CLASS -eq "SMS_CollectionRuleDirect"} |
                ForEach-Object { $ReturnValue = $delCol.DeleteMembershipRule($_) }
            } Else {
                # The computer is in the group but ConfigMgr doesn't know that
                Write-Host $ComputerName is a member of $ADGroup.SamAccountName but ConfigMgr hasn"'"t discovered it yet
            }
        } ElseIf ($ADComputer -ne $null) {
            # The computer is not a member of the AD group so add it
            Write-Host $ComputerName is a directMember in collection but not in group so adding it to $ADGroup.SamAccountName
            Add-ADGroupMember -Identity $ADGroup -Members $ADComputer
        }
    }
}
Filed under: Active Directory, ConfigMgr2007, PowerShell Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

(required)

No trackbacks yet.

» «

Categories

Admin

Login