I need to target a deployment at devices that are members of a specific on-premises Security Group (non-hybrid-joined).
It should be possible to write a function similar to Get-ImmyADComputer to ask a DC in the org for the group memberships of a particular computer, then call this in an inventory script that only executes for AD-joined machines, and finally write a filter script to target a particular group name.
Anyone already built a solution for this, or is there a built-in way to achieve the same objective that I’m missing?
I got this working using the method I outlined. Glad to share with anyone trying to solve the same problem.
I would love to try out your method. My use case is installing and configuring VPN clients in which the users are already members of the local security group for permissions to VPN.
@Eric_Schueler Here’s my inventory script:
$PartofDomain = Invoke-ImmyCommand { (Get-CimInstance win32_computersystem).PartOfDomain }
if ($PartofDomain) {
$groups = Get-ImmyADComputerGroups -ComputerName $ComputerName
$($groups.name) -join "`r`n" | Out-String
} else {
return $null
}
And here’s that Get-ImmyADComputerGroups function:
param(
[string]$ComputerName,
[string]$DomainName,
[string]$PreferredDomainControllerName
)
$DomainController = Get-ImmyDomainController -DomainName $DomainToJoin -PreferredDomainControllerName $PreferredDomainControllerName
$ExistingComputer = Get-ImmyADComputer @PSBoundParameters
if ($ExistingComputer) {
Write-Host "Computer Found! Looking up Group Memberships for $($ExistingComputer.Name) Using Domain Controller $($DomainController.Name)"
$ExistingComputerGroups = Invoke-ImmyCommand -Computer $DomainController {
Import-Module ActiveDirectory -Verbose:$false
#Write-Host -Fore Green $env:computername
if($using:ComputerName) {
try {
Get-ADPrincipalGroupMembership (Get-ADComputer $using:ComputerName).DistinguishedName
}
catch {
}
}
}
}
$ExistingComputerGroups
3 Likes