Hey everyone. Brad again with a quick post.
A couple weeks back I was talking with another engineer and lamenting the fact that computers weren’t automatically placed in Operating System specific groups and that there is not always a great way to grant all servers or all workstations permission to something.
For example, let’s say that you want to enable Auto-Enrollment of certificates, but you want different certificates depending on the Operating System or whether the computer is a Server or Client class system. You could do this by hand, but talk about administrative overhead.
For Group Policy, it’s not uncommon to use WMI filters to filter to a particular OS or only Servers/Clients. Unfortunately, WMI queries can impact startup and logon and are usually discouraged from use. On top of that, WMI queries don’t work anything else.
I thought this was a good idea to at least explore, so I’ve added this script to automate the creation and addition of computers to Operating System specific groups and also do add them automatically to either a Server or Client specific parent group. Many rewrites went into the published version as I attempted to minimize the calls to Active Directory as much as possible and speed up overall run time. In smaller environments, the script should complete in seconds.
Also, if you’ve grabbed any of my other scripts, you may note some minor updates to core functions. These changes will be ported into all of the others in the near future as well.
Usage of the script is simple:
1. Choose an OU to place the groups (something like an Administrative Group OU) and grab the DistinguishedName of the group.
2. Choose a Group name prefix or leave blank. If blank, all groups will start with “OperatingSystem”
3. Choose a delimiter for the group names. If blank, it will be underscore.
4. The additional arguments (logToFile, ForceLog, LogPath, and verboseOutput) or usually only needed when troubleshooting or initially testing the script. LogToFile, in particular, is not intended for constant usage as it does not include a file size limiter.
5. Decide on your deployment model. This is intended for deployment using the Distributed Automation approach mentioned in this post…with one notable exception. My preference is to use the same approach to filter this to only be done by the PDC using the WMI filter mentioned in my other post here. You can also run this by hand or from a tools system as a user with delegated privileges to modify the groups.
6. Update the ClientOSList and ServerOSList arrays in the script if you have additional Operating Systems in Active Directory. I’ve added a basic list with Windows XP to Windows 8.1 and Windows 2003 to 2012 R2.
Finally, here’s the script: