Operating System Specific Group Automation

Hey everyone. Brad again with a quick post.

A couple weeks back I was talking with another engineer and lamenting the fact that computers weren’t automatically placed in Operating System specific groups and that there is not always a great way to grant all servers or all workstations permission to something.

For example, let’s say that you want to enable Auto-Enrollment of certificates, but you want different certificates depending on the Operating System or whether the computer is a Server or Client class system. You could do this by hand, but talk about administrative overhead.

For Group Policy, it’s not uncommon to use WMI filters to filter to a particular OS or only Servers/Clients. Unfortunately, WMI queries can impact startup and logon and are usually discouraged from use. On top of that, WMI queries don’t work anything else.

I thought this was a good idea to at least explore, so I’ve added this script to automate the creation and addition of computers to Operating System specific groups and also do add them automatically to either a Server or Client specific parent group. Many rewrites went into the published version as I attempted to minimize the calls to Active Directory as much as possible and speed up overall run time. In smaller environments, the script should complete in seconds.

Also, if you’ve grabbed any of my other scripts, you may note some minor updates to core functions. These changes will be ported into all of the others in the near future as well.

 

Usage of the script is simple:

1. Choose an OU to place the groups (something like an Administrative Group OU) and grab the DistinguishedName of the group.

2. Choose a Group name prefix or leave blank. If blank, all groups will start with “OperatingSystem”

3. Choose a delimiter for the group names. If blank, it will be underscore.

4. The additional arguments (logToFile, ForceLog, LogPath, and verboseOutput) or usually only needed when troubleshooting or initially testing the script. LogToFile, in particular, is not intended for constant usage as it does not include a file size limiter.

5. Decide on your deployment model. This is intended for deployment using the Distributed Automation approach mentioned  in this post…with one notable exception. My preference is to use the same approach to filter this to only be done by the PDC using the WMI filter mentioned in my other post here. You can also run this by hand or from a tools system as a user with delegated privileges to modify the groups.

6. Update the ClientOSList and ServerOSList arrays in the script if you have additional Operating Systems in Active Directory. I’ve added a basic list with Windows XP to Windows 8.1 and Windows 2003 to 2012 R2.

 

Finally, here’s the script:

Operating System based Group Automation

 

 

Additional reading:

Distributed Automation using Native Tools and Scripts

How Time broke AD (and Group Policy saved the day)

Posted in Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: