widsnet.com
12Mar/120

ManagedBy in Administrators by GPO/GPP

This is a neat solution, that doesn't use any script, to add the managedBy user on the computer object to the local Administrators group.
Or Remote Desktop Users or any other group you like, of course...

It's easy to limit the usage with the help of Security Filtering or OU structure.

GPO: Preferences -> Control Panel Settings -> Local Users and Groups
New -> Local Group

Local Group tab
Group name: Administrators (Built-In)
Members: %managedByUser%

Common tab
[x] Item-level targeting
-> [Targeting...]
New Item -> LDAP Query
Filter: (&(objectCategory=computer)(objectClass=computer)(cn=%ComputerName%))
Binding: LDAP:
Attribute: managedBy
Environment variable name: managedBy

New Item -> LDAP Query
Filter: (&(objectCategory=user)(objectClass=user)(distinguishedName=%managedBy%))
Binding: LDAP:
Attribute: sAMAccountName
Environment variable name: managedByUser

Filed under: Active Directory, GPO No Comments
29Nov/110

Migrate direct collection membership to AD group

Another powershell script. This one takes computers with direct membership in a collection and adds them to a AD group. Run it a second time and it removes the direct membership in the collection if the computer is a member of the AD group and if ConfigMgr knows that through AD discovery.

Import-Module ActiveDirectory
$SMSServer = "server1"
$SMSNamespace = "root\sms\site_SMS"
$SLA0 = ("C01000C8", "EntSCCM_SLA0") #AnyTime
$SLA2 = ("C0100060", "EntSCCM_SLA2") #Sunday
$SLA3 = ("C0100061", "EntSCCM_SLA3") #NoWindow
$colGroupArr = @($SLA0, $SLA2, $SLA3)

# If computer is a direct member of the collection we add it to the AD group.
# If the computer is a member of the AD group, and SCCM knows that, the direct membership is removed.
$colGroupArr | ForEach-Object {
    $Col, $Group = $_
    Write-Host Migrating computers from collectionID $col to AD group $Group
    $ADGroup = Get-ADGroup $Group
    # Get a SMS_Collection object to be able to use DeleteMembershipRule
    $delCol = get-wmiobject -query "select * from SMS_Collection where CollectionID = '$col'" -computername $SMSServer -namespace $SMSNamespace
    $delCol.Get()
    # Get all members of the collection
    get-wmiobject -query "select * from SMS_CM_RES_Coll_$Col" -computername $SMSServer -namespace $SMSNamespace |
    Sort-Object -property Name |
    Where-Object {$_.IsDirect -eq $True} |
    ForEach-Object {
        Clear-Variable ADComputer
        $ComputerName = $_.Name
        # Get the computer object from AD with Try-Catch so we do not get any errors printed out
        try {$ADComputer = Get-ADComputer $ComputerName -property memberOf}
        catch {Write-Host $ComputerName was not found in AD}
        If ($ADComputer.memberOf -eq $ADGroup.DistinguishedName) {
            # The computer is a member of the AD group. Check if ConfigMgr has discovered that
            $ADGroupSAM = $ADGroup.GroupScope.ToString() +'\\'+ $ADGroup.SamAccountName.ToString()
            $inGroup = get-wmiobject -query "select * from sms_r_system where name='$ComputerName' and systemgroupname='$ADGroupSam'" -computername $SMSServer -namespace $SMSNamespace
            If ($inGroup -ne $null) {
                # The computer is in group and ConfigMgr knows it so remove the direct membership
                Write-Host $ComputerName is a member of $ADGroup.SamAccountName so removing it from collection $delcol.Name
                $delCol.CollectionRules |
                Where-Object {$_.RuleName -eq $ADComputer.Name -And $_.__CLASS -eq "SMS_CollectionRuleDirect"} |
                ForEach-Object { $ReturnValue = $delCol.DeleteMembershipRule($_) }
            } Else {
                # The computer is in the group but ConfigMgr doesn't know that
                Write-Host $ComputerName is a member of $ADGroup.SamAccountName but ConfigMgr hasn"'"t discovered it yet
            }
        } ElseIf ($ADComputer -ne $null) {
            # The computer is not a member of the AD group so add it
            Write-Host $ComputerName is a directMember in collection but not in group so adding it to $ADGroup.SamAccountName
            Add-ADGroupMember -Identity $ADGroup -Members $ADComputer
        }
    }
}
Filed under: Active Directory, ConfigMgr2007, PowerShell No Comments
4Nov/110

Remove specific computers from AD groups

Thought i should start to learn some powershell.

Import-Module ActiveDirectory
$cda5Computers = Get-ADComputer -Filter "*" -SearchBase "OU=Clients,DC=domain,DC=com" -Property memberOf
$cda5Computers | ForEach-Object {
    $ProdPakGroups = @()
    $_.memberOf | ForEach-Object {
        If ($_ -like "CN=ProdPak*"){
            $ProdPakGroups += $_
        }
    }
    If ($ProdPakGroups.Length -gt 0){
        Write-Host $_.Name
        Write-Host $ProdPakGroups
        Remove-ADPrincipalGroupMembership -Identity $_ -memberOf $ProdPakGroups -Confirm:$False
    }
}
Filed under: Active Directory, PowerShell No Comments
   

Categories

Admin

Login