如何将各种组添加到OU中的计算机？

Question

I need to add various applications groups to the computers in an OU, that will be pushed out later. In AD, I go to OU, right click on the respective computer and click properties and then go to "member of" tab, and then add the various groups.

How can I automate these steps using PowerShell, so that it will apply these groups to all the computers in that OU?

Answer 1

import-module ActiveDirectory

$allComputers = @()
$ADgroup = "Computer Policy Application Group"

$theOU = [ADSI]"LDAP://OU=AnOU,DC=some,DC=test,DC=com"
foreach ($item in $theOU.psbase.Children) { 
    if ($item.ObjectCategory -like '*computer*') {
        $allComputers += $item.Name
    }
}

foreach ($pc in $allComputers) {
    Add-ADGroupMember $ADgroup $pc
}

Then of course, you can add more groups, or setup an array of groups and iterate through it adding as you go... This will throw a lot of errors if the computer is already part of the group, by the way.

Answer 2

If you are using server2008 or newer (or have the required components installed) this is the simplest solution I have found.

$groupList=@("group1","group2","group3")
foreach ($Comp in (Get-AdComputer -server $ADServer -searchBase "OU=computers,DC=company,DC=com" -searchscope oneLevel")) {
    foreach ($Group in $groupList) { Add-ADGroupMember -Identity $Group -Members $Comp -Server $ADServer }
}

Be sure to populate the $groupList variable with an array of the samaccountnames of the groups you wish to add, and to replace "OU=computers,DC=company,DC=com" with the LDAP Path to the OU containing the computers you wish to add permissions to.

Answer 3

Using the ActiveDirectory module, you can either user Add-ADPrincipalGroupMember or Add-ADGroupMember.

The former 'Adds a member to one or more Active Directory groups' whilst the latter 'Adds one or more members to an Active Directory group'.