Adding computers as members to AD security groups via GPO

Anonymous
2023-12-01T12:39:13+00:00

Introduction.

This task has been always done manually. Upon a server object creation (when joining the active directory), the engineer would go to ADUC and add the computer to specific security groups and move it to specific OU. Recently, with the migration of our VDI management infrastructure to new Horizon cloud platform called Next-Gen, an issue has risen. All newly created VDIs stopped inheriting the previous VDI names and were being created with new unique names. Thus, they were no longer inheriting security group memberships and had to be added manually. Since these VDIs were created daily, we started getting a lot of user requests, when they could not see their floating user profiles. Azure storage account would not allow a VDI to access a stored user profile file, when VDI doesn’t belong to 2 specific security groups.

By solving this specific problem, this solution can be applied, where the automated placement of domain computers into security groups, is desired.

Solution.

To my surprise, I have not found any solutions to this problem online. The majority of articles covers the specifics of adding users to local security groups, but none covered adding computers to domain security groups.

The solution involves several steps.

Powershell scrip

import-module ActiveDirectory
Add-ADGroupMember -id "Desktops" -members "CN=$env:computername,OU=Desktops,OU=Computer Systems,DC=example,DC=net"
Add-ADGroupMember -id "FSLogix Desktops" -members "CN=$env:computername,OU=FSLogix Desktops,OU=Computer Systems,DC=example,DC=net"

The script is called up by a simple GPO, that is linked to OU=”Desktops”.

Needless to say, only computer objects placed in that OU will be affected. And, since it is a start-up script, it is important to place it in the priority order higher, then the other GPOs, that would rely on it:

Also, the best location for the powershell file would be under the corresponding Policy folder:

The last but not least step, is to have ActiveDirectory tools installed on the computers, prior to applying this GPO. Microsoft describes several options here for different Windows 10 versions: https://www.microsoft.com/en-au/download/details.aspx?id=45520 When installing this feature on the server, only Powershell module for AD could be installed. And that could also be automated via GPO: https://www.varonis.com/blog/powershell-active-directory-module

Windows for business | Windows Server | Directory services | Deploy group policy objects

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Anonymous
    2023-12-05T03:16:30+00:00

    Hi Slava Olchevski,

    Thank you for sharing your solution for adding computers to domain security groups via GPO. It's great to see that you were able to find a solution to your specific problem and share it with others. It's important to note that installing ActiveDirectory tools on the computers prior to applying the GPO is necessary for this solution to work. Additionally, it's important to ensure that the GPO containing the PowerShell script is placed in the priority order higher than other GPOs that rely on it. Thank you for sharing this helpful information.

    Best regards,

    Qiuyang

    0 comments No comments