Introduction.
This task has been always done manually. Upon a server object creation (when joining the active directory), the engineer would go to ADUC and add the computer to specific security groups and move it to specific OU. Recently, with the migration of our VDI management infrastructure to new Horizon cloud platform called Next-Gen, an issue has risen. All newly created VDIs stopped inheriting the previous VDI names and were being created with new unique names. Thus, they were no longer inheriting security group memberships and had to be added manually. Since these VDIs were created daily, we started getting a lot of user requests, when they could not see their floating user profiles. Azure storage account would not allow a VDI to access a stored user profile file, when VDI doesn’t belong to 2 specific security groups.
By solving this specific problem, this solution can be applied, where the automated placement of domain computers into security groups, is desired.
Solution.
To my surprise, I have not found any solutions to this problem online. The majority of articles covers the specifics of adding users to local security groups, but none covered adding computers to domain security groups.
The solution involves several steps.
Powershell scrip
import-module ActiveDirectory
Add-ADGroupMember -id "Desktops" -members "CN=$env:computername,OU=Desktops,OU=Computer Systems,DC=example,DC=net"
Add-ADGroupMember -id "FSLogix Desktops" -members "CN=$env:computername,OU=FSLogix Desktops,OU=Computer Systems,DC=example,DC=net"
The script is called up by a simple GPO, that is linked to OU=”Desktops”.
Needless to say, only computer objects placed in that OU will be affected. And, since it is a start-up script, it is important to place it in the priority order higher, then the other GPOs, that would rely on it:
Also, the best location for the powershell file would be under the corresponding Policy folder:
The last but not least step, is to have ActiveDirectory tools installed on the computers, prior to applying this GPO. Microsoft describes several options here for different Windows 10 versions:
https://www.microsoft.com/en-au/download/details.aspx?id=45520
When installing this feature on the server, only Powershell module for AD could be installed. And that could also be automated via GPO:
https://www.varonis.com/blog/powershell-active-directory-module