计算机的动态AD组成员身份

Question

I am trying to write a script i can run to dynamically manage computers in a security group in AD. I've successfully done the first bit but would like it make some additions. So far I have: $computers = Get-ADComputer -Filter * -Searchbase "OU=Clients,OU=Devices,DC=domain,DC=local" | select-object -expandproperty DistinguishedName | out-file C:\\computers.txt Get-Content c:\\computers.txt | Add-ADPrincipalGroupMembership -MemberOf 'Group_C' $computers = Get-ADComputer -Filter * -Searchbase "OU=Clients,OU=Devices,DC=domain,DC=local" | select-object -expandproperty DistinguishedName | out-file C:\\computers.txt Get-Content c:\\computers.txt | Add-ADPrincipalGroupMembership -MemberOf 'Group_C'

I would like to exclude machines that already bellong to Group_A and Group_B and remove machines from Group C if they no longer appear in computers.txt

Answer 1

The following will exclude computers from Group_A and Group_B:

$GroupA_DN = "<GroupA DistinguishedName>"
$GroupB_DN = "<GroupB DistinguishedName>"

Get-ADComputer -filter {memberof -ne $GroupA_DN -and memberof -ne $GroupB_DN}

The $GroupA_DN variable will need to have a string of the distinguished name of group A. For example, $GroupA_DN = "CN=Group_A,OU=SomeOU,OU=Clients,OU=Devices,DC=domain,DC=local" . The same will need to be repeated for group B in its respective variable.