Removing objects from an Active Directory Group

A little while back, I wanted freshly imaged machines to avoid sleeping. This was to ensure that they receive all their policies, updates and apps. We amended pour task sequence so that machines would be added to a special post build group. This group in turn fed a Config Manager collection which kept the base unit permanently awake.

All good, except that I could not find an easy way of dumping the group. The Powershell script looked somewhat overbearing, and VB or .net options were equally ridiculous.

I had a feeling that a simple answer must lie with the DS, Directory Services, tools that come with Active Directory.


Well many months of distraction passed, and the issue came up again in a rather convuluted manner. It was the usual chuntering from a vocal minority about inactive PCs being chopped off the domain. In order to make things “easier”, we were asked if we could show PCs that were close to being chopped, and PCs relatively close to being chopped.

I inwardly sighed at yet another perceived intrusion into our metaphysical domain. However I must admit that once I sat down and looked at it, I rather enjoyed it. In the end, I decided to do the following:

Create two AD groups to represent the “close” and “relatively close” PCs Create two queries which would be fed by these groups

…and last but not least, update the weekly script to include the following:

dsget group “CN=SCCM-Inactive_1,OU=Groups,OU=Workstations,DC=uk” -members | DSMOD GROUP “CN=SCCM-Inactive_1,OU=Groups,OU=Workstations,DC=uk” -rmmbr -d mydomain

dsget group “CN=SCCM-Inactive_2,OU=Groups,OU=Workstations,DC=uk” -members | DSMOD GROUP “CN=SCCM-Inactive_2,OU=Groups,OU=Workstations,DC=uk” -rmmbr -d mydomain

DSQUERY computer “OU=Workstations,DC=uk” -inactive 18 -limit 0 | DSMOD GROUP “CN=SCCM-Inactive_1,OU=Groups,OU=Workstations,DC=uk” -addmbr -d mydomain

DSQUERY computer “OU=Resources,DC=uk” -inactive 18 -limit 0 | DSMOD GROUP “CN=SCCM-Inactive_1,OU=Groups,OU=Workstations,DC=uk” -addmbr -d mydomain

DSQUERY computer “OU=Workstations,DC=uk” -inactive 22 -limit 0 | DSMOD GROUP “CN=SCCM-Inactive_2,OU=Groups,OU=uk” -addmbr -d mydomain

DSQUERY computer “OU=Resources,DC=uk” -inactive 22 -limit 0 | DSMOD GROUP “CN=SCCM-Inactive_2,OU=Groups,OU=Workstations,DC=uk” -addmbr -d mydomain

The first line, DSGET, pipes the group membership  into the DSMOD command to remove them. Really simple, and I am puzzled as to why I struggled to find anything similar on T’Internet. Anyway, if it’s a first… yay.

The subsequent lines check each location where people try to hide computers from me. The output is again piped into the DSMOD for action.

Simpler than VB 😉 FU Powershell 😀

Advertisements

Flame on xD

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s