widsnet.com
2Oct/130

Unable to disable settings on the security tab in an IE10 GPP

I finally got MS to make a hotfix for this. Only took about 10 months ­čÖé
The problem was that F5-F8 buttons didn't disable/enable the settings on the security tab when creating an Internet Explorer 10 GPP in a GPO.

With this hotfix installed, it works.
http://support.microsoft.com/kb/2849027/en-us

25Mar/131

Get members of an AD group

Get all members in an AD group, even recursive with -Recursive.

function Get-GroupMembers {
Param(
[parameter(Mandatory = $true)][string]$group,
[switch]$Recursive
)
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$groupObject = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($ct,$group)
Return $groupObject.GetMembers($Recursive)
}
11Jul/120

List memberOf for an account

This script returns all groups that an account is a member of in Active Directory. User or computer. The argument -Recursive lists... all recursive groups, suprise.

function Get-ADGroups {
    Param(
        [parameter(Mandatory = $true)][string]$Account,
        [switch]$Recursive
    )
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    $AccountObject = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($ct,$Account)
    If ($Recursive) {
        Return $AccountObject.GetAuthorizationGroups()
    }
    else {
        Return $AccountObject.GetGroups()
    }
}
11Jul/120

Get-ManagedBy and Get-ManagedObjects

Who owns a computer?
Which computers do someone own?
These questions need to be answered sometimes. And the following Powershell script gets that information from AD.

function Get-ManagedBy {
    Param(
        [parameter(Mandatory = $true)][string]$Computer
    )
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    $ComputerObject = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($ct,$Computer)
    Return [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($ct,($ComputerObject.GetUnderlyingObject().managedBy))
}

function Get-ManagedObjects {
    Param(
        [parameter(Mandatory = $true)][string]$User
    )
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    $UserObject = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($ct,$User)
    Return $UserObject.GetUnderlyingObject().managedObjects
}
11Jul/120

Test-ADConnection

A simple way to test the connection to AD before running commands.

function Test-ADConnection {
    Try {
        $Connected = $true
        Add-Type -AssemblyName System.DirectoryServices.AccountManagement
        $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
        New-Object System.DirectoryServices.AccountManagement.PrincipalContext($ct) | Out-Null
    }
    Catch {
        $Connected = $false
    }
    Return $Connected
}
11Jul/120

Get AD Account Properties without using ActiveDirectory cmdlets

Sometimes it's not possible or not preferred to use the Active Directory commandlets supplied by MS. Then it's lucky that the same tasks can be performed without them.

function Get-ADAccountProperties {
    Param(
        [parameter(Mandatory = $true,position=0,valueFromPipeline=$true)]$Account,
        [switch]$UnderlyingObjects
    )
	BEGIN {
	    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
        $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
	}
    PROCESS {
		If (-not $PSBOUNDPARAMETERS.ContainsKey('Account')) {
			$Account = $Input
		}
        $AccountObject = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($ct,$Account)
        If ($UnderlyingObjects) {
            Return $AccountObject.GetUnderlyingObject().Properties
        }
        else {
            Return $AccountObject
        }
    }
}

Get-ADAccountProperties $env:USERNAME
12Mar/1215

ManagedBy in Administrators by GPO/GPP

This is a neat solution, that doesn't use any script, to add the managedBy user on the computer object to the local Administrators group.
Or Remote Desktop Users or any other group you like, of course...

It's easy to limit the usage with the help of Security Filtering or OU structure.

GPO: Preferences -> Control Panel Settings -> Local Users and Groups
New -> Local Group

Local Group tab
Group name: Administrators (Built-In)
Members: %managedByUser%

Common tab
[x] Item-level targeting
-> [Targeting...]
New Item -> LDAP Query
Filter: (&(objectCategory=computer)(objectClass=computer)(cn=%ComputerName%))
Binding: LDAP:
Attribute: managedBy
Environment variable name: managedBy

New Item -> LDAP Query
Filter: (&(objectCategory=user)(objectClass=user)(distinguishedName=%managedBy%))
Binding: LDAP:
Attribute: sAMAccountName
Environment variable name: managedByUser

Edit. Happy to see in the comments that some people┬áhave found┬áthis post and have use for it ­čÖé

29Nov/112

Migrate direct collection membership to AD group

Another powershell script. This one takes computers with direct membership in a collection and adds them to a AD group. Run it a second time and it removes the direct membership in the collection if the computer is a member of the AD group and if ConfigMgr knows that through AD discovery.

Import-Module ActiveDirectory
$SMSServer = "server1"
$SMSNamespace = "root\sms\site_SMS"
$SLA0 = ("C01000C8", "EntSCCM_SLA0") #AnyTime
$SLA2 = ("C0100060", "EntSCCM_SLA2") #Sunday
$SLA3 = ("C0100061", "EntSCCM_SLA3") #NoWindow
$colGroupArr = @($SLA0, $SLA2, $SLA3)

# If computer is a direct member of the collection we add it to the AD group.
# If the computer is a member of the AD group, and SCCM knows that, the direct membership is removed.
$colGroupArr | ForEach-Object {
    $Col, $Group = $_
    Write-Host Migrating computers from collectionID $col to AD group $Group
    $ADGroup = Get-ADGroup $Group
    # Get a SMS_Collection object to be able to use DeleteMembershipRule
    $delCol = get-wmiobject -query "select * from SMS_Collection where CollectionID = '$col'" -computername $SMSServer -namespace $SMSNamespace
    $delCol.Get()
    # Get all members of the collection
    get-wmiobject -query "select * from SMS_CM_RES_Coll_$Col" -computername $SMSServer -namespace $SMSNamespace | 
    Sort-Object -property Name |
    Where-Object {$_.IsDirect -eq $True} |
    ForEach-Object { 
        Clear-Variable ADComputer
        $ComputerName = $_.Name
        # Get the computer object from AD with Try-Catch so we do not get any errors printed out
        try {$ADComputer = Get-ADComputer $ComputerName -property memberOf}
        catch {Write-Host $ComputerName was not found in AD}
        If ($ADComputer.memberOf -eq $ADGroup.DistinguishedName) {
            # The computer is a member of the AD group. Check if ConfigMgr has discovered that
            $ADGroupSAM = $ADGroup.GroupScope.ToString() +'\\'+ $ADGroup.SamAccountName.ToString()
            $inGroup = get-wmiobject -query "select * from sms_r_system where name='$ComputerName' and systemgroupname='$ADGroupSam'" -computername $SMSServer -namespace $SMSNamespace
            If ($inGroup -ne $null) {
                # The computer is in group and ConfigMgr knows it so remove the direct membership
                Write-Host $ComputerName is a member of $ADGroup.SamAccountName so removing it from collection $delcol.Name
                $delCol.CollectionRules | 
                Where-Object {$_.RuleName -eq $ADComputer.Name -And $_.__CLASS -eq "SMS_CollectionRuleDirect"} | 
                ForEach-Object { $ReturnValue = $delCol.DeleteMembershipRule($_) }
            } Else {
                # The computer is in the group but ConfigMgr doesn't know that
                Write-Host $ComputerName is a member of $ADGroup.SamAccountName but ConfigMgr hasn"'"t discovered it yet
            }
        } ElseIf ($ADComputer -ne $null) {
            # The computer is not a member of the AD group so add it
            Write-Host $ComputerName is a directMember in collection but not in group so adding it to $ADGroup.SamAccountName
            Add-ADGroupMember -Identity $ADGroup -Members $ADComputer
        }
    }
}
4Nov/110

Remove specific computers from AD groups

Thought i should start to learn some powershell.

Import-Module ActiveDirectory
$cda5Computers = Get-ADComputer -Filter "*" -SearchBase "OU=Clients,DC=domain,DC=com" -Property memberOf
$cda5Computers | ForEach-Object {
    $ProdPakGroups = @()
    $_.memberOf | ForEach-Object {
        If ($_ -like "CN=ProdPak*"){
            $ProdPakGroups += $_
        }
    }
    If ($ProdPakGroups.Length -gt 0){
        Write-Host $_.Name
        Write-Host $ProdPakGroups
        Remove-ADPrincipalGroupMembership -Identity $_ -memberOf $ProdPakGroups -Confirm:$False
    }
}