I'm going to preface this post with a disclaimer that I'm not a great PowerShell guru.
I'm almost certain that there's a more efficient/elegant way to accomplish the same thing, but the code below works so I haven't needed a way to make the code more efficient. 🙂
One of our NME customers had an ask to automatically add/remove hosts to an Active Directory Security Group.
At first, we thought we couldn't accomplish this because Nerdio doesn't manage the Domain Controller(s). However, we were able to accomplish this with the script below where it runs on the host after it is joined to AD.
Steps to deploy
- Clone an existing scripted action (Or create a new one with the code below)
- Modify the $ADGroupDN with the distinguished name of the security group
- Schedule the script to run
NOTE: In the code below, we removed the customer's domain information. You will need to update the $DCFQDN of the domain controller fully qualified domain name.
# Edit Identity to match AD security group for host pool
$ADGroupDN = "CN=SecurityGroup,OU=WVD,OU=Azure,OU=Custom Security Groups,DC=domainname,DC=local"
# Key controlling Optional Components details.
$RegistryPath = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing"
# Ensure registry key is controlling Optional Components details is created.
# Note: This should be created by default, but in case it's not, do it!
If (!(Test-Path $RegistryPath)) {New-Item -Path $RegistryPath -Force}
# Enable Optional Component updates via Microsoft Windows Updates to install RSAT tools in WSUS environment.
New-ItemProperty -Path $RegistryPath -Name RepairContentServerSource -Value "2" -PropertyType DWORD -Force
Get-WindowsCapability -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" -Online | Add-WindowsCapability -Online
Import-Module -Name ActiveDirectory
[pscredential] $domaincred = New-Object system.management.automation.pscredential ($ADUsername,(convertto-securestring $ADPassword -asplaintext -force))
$DomainInfo = Get-WmiObject -Class win32_ntdomain
$DC = (($DomainInfo | ? {$null -ne $_.domainControllername}).DomainControllerName -replace "\\","")
$Domain = $DomainInfo.DnsForestName
$DCFQDN = "fqdn.domainname.local"
#$DCFQDN = ($DC+"."+$Domain -replace "\s","")
$Group = Get-ADGroup -Identity $ADGroupDN -Server $DCFQDN -credential $domaincred
Add-ADGroupMember -Identity $Group -Members ($AzureVMName+'$') -Server $DCFQDN -credential $domaincred
# Disable Optional Components via Microsoft Windows Updates after installing RSAT tools.
  Remove-ItemProperty -Path $RegistryPath -Name RepairContentServerSource
Remove-WindowsCapability -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" -Online
Â
Comments (0 comments)