Modify Local Group using Computer Description Powershell Example

Powershell: Put the unityID listed in the Description attribute of a computer object in the local Remote Desktop Users group.

[powershell]

#remotedesktop.ps1
#
#PowerShell Scirpt that does the following:
#Does an LDAP search for the name of your computer and returns whatever is in the description
#Does another LDAP search to see if what is in the description is a user in the People OU
#If it is the script will delete all users from the Remote Desktop Users group and will add the Unity ID from the computer description
#to the Remote Desktop Users group on the local machine
#If the Unity ID does not exist if will remove all users from the Remote Desktop Users group and exit

# Equivalent of ‘on error resume next’ in vbscript
$erroractionpreference = “SilentlyContinue”

#Edit here to correspond to your OU location where the script should search for the computer object starting with college name down,
#and the name of the OU Computer Admins group
$targetOU = “ou=coedean,ou=coe”

#Pulls computer name from environmental variable
$objComputer = get-content env:computername

#Sets up LDAP query to get the Unity ID in the computer object description field
$query = new-object system.directoryservices.directorysearcher
$root = [ADSI]”LDAP://$targetOU,ou=ncsu,dc=wolftech,dc=ad,dc=ncsu,dc=edu”
$query.SearchRoot = $root
$query.filter = “(&(ObjectClass=computer)(cn=$objComputer))”
$query.SearchScope = “subtree”
$result = $query.findOne()
$ADobject = $result.GetDirectoryEntry()
$objADPCUSER = $ADobject.description

#Sets up LDAP query to see if the Unity ID is in the People OU
$query2 = new-object system.directoryservices.directorysearcher
$root2 = [ADSI]”LDAP://ou=people,dc=wolftech,dc=ad,dc=ncsu,dc=edu”
$query2.SearchRoot = $root2
$query2.filter = “(&(ObjectClass=user)(cn=$objADPCUSER))”
$result2 = $query2.findOne()

#If Unity ID exist in People OU an query is run to get the members of the Remote Desktop User group, removes all users, then addes Unity ID from computer object description
if ($result2 -ne $null)
{
$objLocalGroup = [ADSI]”WinNT://$objComputer/Remote Desktop Users,group”
$members = @($objLocalGroup.psbase.Invoke(“Members”))
$members | foreach {$_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null)} | foreach-object {$objLocalGroup.remove(“WinNT://$_”)}
$objLocalGroup.add(“WinNT://wolftech/$objADPCUSER”)
}
#If Unity ID does not exsit in People OU an query is run to get the members of the Remote Desktop User group, removes all users, then exits
else
{
$objLocalGroup = [ADSI]”WinNT://$objComputer/Remote Desktop Users,group”
$members = @($objLocalGroup.psbase.Invoke(“Members”))
$members | foreach {$_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null)} | foreach-object {$objLocalGroup.remove(“WinNT://$_”)}
}

[/powershell]

Powershell: Put the unityID listed in the Description attribute of a computer object in the local Administrators group, along with $DEPT-Computer Admins, Domain Admins, and no one else.

[powershell]

#administrator1.ps1
#
#PowerShell Scirpt that does the following:
#Does an LDAP search for the name of your computer and returns whatever is in the description
#Does another LDAP search to see if what is in the description is a user in the People OU
#If it is the script will delete all users from the Administrators group and will add the Unity ID from the computer description
#to the Administrators group on the local machine
#If the Unity ID does not exist if will remove all users from the Administrators group, adds Domain Admins and OU Computer Admins group, and exit

# Equivalent of ‘on error resume next’ in vbscript
$erroractionpreference = “SilentlyContinue”

#Edit here to correspond to your OU location where the script should search for the computer object starting with college name down,
#and the name of the OU Computer Admins group
$targetOU = “ou=coedean,ou=coe”
$OUComputerAdmins = “COEDEAN-Computer Admins”

#Pulls computer name from environmental variable
$objComputer = get-content env:computername

#Sets up LDAP query to get the Unity ID in the computer object description field
$query = new-object system.directoryservices.directorysearcher
$root = [ADSI]”LDAP://$targetou,ou=ncsu,dc=wolftech,dc=ad,dc=ncsu,dc=edu”
$query.SearchRoot = $root
$query.filter = “(&(ObjectClass=computer)(cn=$objComputer))”
$query.SearchScope = “subtree”
$result = $query.findOne()
$ADobject = $result.GetDirectoryEntry()
$objADPCUSER = $ADobject.description

#Sets up LDAP query to see if the Unity ID is in the People OU
$query2 = new-object system.directoryservices.directorysearcher
$root2 = [ADSI]”LDAP://ou=people,dc=wolftech,dc=ad,dc=ncsu,dc=edu”
$query2.SearchRoot = $root2
$query2.filter = “(&(ObjectClass=user)(cn=$objADPCUSER))”
$result2 = $query2.findOne()

#If Unity ID exist in People OU an query is run to get the members of the Administrators group, removes all users, then adds Unity ID from computer object description
if ($result2 -ne $null)
{
$objLocalGroup = [ADSI]”WinNT://$objComputer/Administrators,group”
$members = @($objLocalGroup.psbase.Invoke(“Members”))
$members | foreach {$_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null)} | foreach-object {$objLocalGroup.remove(“WinNT://$_”)}
$objLocalGroup.add(“WinNT://wolftech/$objADPCUSER”)
$objLocalGroup.add(“WinNT://wolftech/Domain Admins”)
$objLocalGroup.add(“WinNT://wolftech/$OUComputerAdmins”)
}
#If Unity ID does not exsit in People OU a query is run to get the members of the Administrators group, removes all users, then add domain admins and OU computer admins group, then exits
else
{
$objLocalGroup = [ADSI]”WinNT://$objComputer/Administrators,group”
$members = @($objLocalGroup.psbase.Invoke(“Members”))
$members | foreach {$_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null)} | foreach-object {$objLocalGroup.remove(“WinNT://$_”)}
$objLocalGroup.add(“WinNT://wolftech/Domain Admins”)
$objLocalGroup.add(“WinNT://wolftech/$OUComputerAdmins”)
exit
}

[/powershell]