Categories
Microsoft Powershell

Powershell : Add $COMPUTERS to $GROUP

Introduction

This script was created to add all computers in a given text file to a Windows AD security group

Output

New objects are added the defined AD security group – check the variables in the script for the input file and target group
Local log file of events and errors on the executing computer C:\Logs\PowershellScripts\add_computers_to_group.ps1.log

Logging

Currently the logging is managed from within the script.
Log file location: C:\Logs\ADCudIncomingDisableAccounts\cudincomingDisable.ps1.log
$LOGTIME is s timestamp in the format “yyyy-MM-dd_hh-mm-ss”
Log call within the script:
“$LOGTIME <>” | Out-File $LOG -Append -Force
The script is then contained with a try{} catch{} parameter with logging output for all exception messages and items.
I’ve also tried to log throughout each action within the script so both SUCCESS and ERRORs are logged which provides a debugging method (at least I
should know where it falls over!).

Usage Examples

Contained in the header of the script – see below
Dependancies
Powershell module “Import-Module ActiveDirectory”

The Script

# Name        : Add Computers to Group
# Author    : Dave
# Date        : 
# Ticket#    :
# Scope     :  Text file containing computer names and an existing AD security group
# Input(s)    : text file with a list of computer names
# Output(s)    : 1. Log of script actions in csv to $LOGFILE
#                 2. Computers added to the specified AD security group
####################################################
# This script is designed to
# 1.  Add all computers in the $COMPUTERS text file to into $ADGROUP specified
####################################################
  
# Notes:
########################
  
  
# Set the variables
########################
$COMPUTERS = Get-Content -Path "ENTER AN ACCESSIBLE PATH TO A TEXT FILE OF COMPUTER NAMES, ONE PER LINE" # list of target computers
$GROUP = "ENTER A VALID AD SECURITY GROUP NAME TO TARGET"
 
$LOGFILEDIR = "C:\Logs\PowershellScripts\" # the full path of the log file for the script to output to
$LOGFILENAME =  "add_computers_to_group.ps1.log" # the full name of the log file for the script to output to
$LOG = ($LOGFILEDIR + "\" + $LOGFILENAME)
$LOGTIME = Get-Date -Format "MM-dd-yyyy_hh-mm-ss"
  
# Prepare the logging
##########################
# Check for the $LOGFILEDIR & $LOGFILENAME and create them if they don't exist
# NOTE: No logging until this happens except to STDOUT (Screen)
  
# Test for the folder and create if it doesn't exist
Try
    {
      
        if(! (Test-Path -Path $LOGFILEDIR )){
                New-Item -ItemType directory -Path $LOGFILEDIR
            }
    }
Catch
    {
        $ErrorMessage = $_.Exception.Message
        $FailedItem = $_.Exception.ItemName
    }
      
# test for the file and create if it doesn't exist
Try
    {
        if(! (Test-Path $LOGFILEDIR\$LOGFILENAME  )){
            New-Item -ItemType file -Path $LOGFILEDIR\$LOGFILENAME
        }
    }
Catch
    {
        $ErrorMessage = $_.Exception.Message
        $FailedItem = $_.Exception.ItemName
    }
  
  
"$LOGTIME BEGIN STARTING SCRIPT" | Out-File $LOG -Append -Force 
 
# Log the computer name in question
    # query ad for the computer and append the results to an array named $BITLOCKEDCOMPS
    Try
    {
        foreach ($COMPUTER in $COMPUTERS) {           
            $obj = Get-ADComputer $COMPUTER
            Add-ADGroupMember -ID $GROUP -Members $obj
            "$LOGTIME $($COMPUTER) ADDED TO $GROUP" | Out-File $LOG -Append -Force
         }
    }
    Catch
    {
        $ErrorMessage = $_.Exception.Message
        $FailedItem = $_.Exception.ItemName
        "$LOGTIME ERROR $($_) Creating C:\$($TARGETDIR) $($ErrorMessage) $($FailedItem)" | Out-File $LOG -Append -Force
    }
      
    
 
      
"$LOGTIME END EXITING SCRIPT" | Out-File $LOG -Append -Force
exit
Categories
Windows

Microsoft BitLocker TPM Initialization in Domain

First set the OU containers permissions to allow the NTSELF user of systems to write back TPM-ownerinformation, required when first initializing the TPM client:

1. Open Active Directory Users and Computers.

2. Select the OU where you have all computers which will have Bitlocker turned ON.

3. Right Click on the OU and click Delegate Control.

4. Click Next and then click Add.

5. Type SELF as the Object Name.

6. Select create a custom task to delegate.

7. From the object in the folder, select Computer Objects.

8. Under show these permissions, select all 3 checkbox.

9. Scroll down in permissions and select the attribute Write msTPM-OwnerInformation.

10. Click Finish.

11. CUSTOM: Now add the computer to the AD Group named “bitlocker”

12. CUSTOM: Finally power up client, turn on TPM and then initialize TPM in Windows

13. CUSTOM: Enable bitlocker (must be logged in as local/domain admin) and check AD comp object for keys

Next follow the MS article on configuring AD / Bitlocker

http://technet.microsoft.com/en-us/library/cc766015(v=ws.10).aspx

 

To manage the keys you’ll need to register the BitLocker viewer from RSAT as detailed by MS here http://support.microsoft.com/kb/928202

Must be run as a domain admin:     regsvr32.exe BdeAducExt.dll

 

 

Categories
Server Windows

Allow Users to bind machines to domains

Use the delegate Control wizard inside AD against the top level domain listing (not OU). You can then select “Join Domain” as a security option for your chosen user(s)/group(s).

 

Be sure to check for the group policy too, “Default Domain Policy” > Computer Configuration > Windows Settings > Security Settings > Local Policies > “Add Workstations to Domain”

Categories
Microsoft Server Windows

Windows 2003+ domain – Prevent users adding computers to domain

1.       Open run and type ADSIEDIT.msc (may need to register adsiedit.dll on server first)

2.       Right click ADSIedit and choose connect to

3.       In the connection point section ,chose select A well Known Naming Context and ,from the drop-down list choose Default naming context

4.       Click OK

5.       Expand default naming context

6.       Right click the DC=mydomain,dc=local domain folder and choose properties

7.       Select ms-DS-MachineAccount Quta and click edit

8.       Type 0

9.       Click OK

http://support.microsoft.com/kb/243327