Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, February 20, 2014 9:42 PM
Good Afternoon:
I have CMD-let / scheduled task that runs and basically adds all machines in an OU to a specified security group. Below is the output.
import-module ActiveDirectory;Get-ADComputer -SearchBase ‘OU=Boston,OU=Computers,OU=Branch,DC=waw,DC=local’ -Filter * | % {Add-ADGroupMember ‘Workstations-WSUS’ -Members $_.DistinguishedName }
This works perfect, however in some cases the OU I am targeting has close to 15-20 other OUs in it, can I exclude a child OU in the above syntax?
Any help or direction someone could give me would be great.
All replies (6)
Thursday, February 20, 2014 10:13 PM | 1 vote
Get-ADComputer has a parameter called -SearchScope that will fix this problem for you.
Get-Help Get-ADComputer -Parameter SearchScope
Update: Your command, updated.
import-module ActiveDirectory;Get-ADComputer -SearchBase ‘OU=Boston,OU=Computers,OU=Branch,DC=waw,DC=local’ -Filter * -SearchScope OneLevel | % {Add-ADGroupMember ‘Workstations-WSUS’ -Members $_.DistinguishedName }
Friday, February 21, 2014 5:54 PM
Thanks alot for your reply.
I did some reading on the SearchScope and wont this just exclude the base object itself?
For example, I have an OU called Boston, and I have 10 OUs inside that "base" OU - Remote, Direct, etc. If I run the above syntax wont it include all the child OUs and just exclude Boston? I want to include Boston, but restrict one proprietary child OU. I am going to the l lab with the syntax you suggested in case I mis-interpreted.
Friday, February 21, 2014 6:13 PM
The default value the Get-ADComputer cmdlet's SearchScope parameter is SubTree (or 2). The SubTree value will search inside of the Boston OU and OUs contained inside of the Boston OU. The OneLevel (or 1) value will search only inside of the Boston OU and not OUs contained inside of the Boston OU.
Friday, February 21, 2014 8:14 PM
Thanks again for your response, and your reply is very helpful. I created an OU structure attached, I think I am close with your help.
If I target the Boston OU, and the OUs within them (that are highlighted in yellow) with the EXCEPTION of groups ou which is highlighted in blue. Basically I am trying to exclude just one OU nested in another OU. Does this make sense and is it possible. I do not want the powershell command to include the GROUPS OU, but all the rest.
Any insight you could provide would be super helpul, and thanks again!
I created this in my lab for testing purposes, which is whey you see no machines in that OU, FYI.
Friday, February 21, 2014 10:02 PM | 1 vote
You can pipe your Get-ADComputer into a where-object command to filter out the Computers in Groups before piping it into get-ADGroupMember. It would look something like this:
Get-ADComputer -SearchBase ‘OU=Boston,OU=Computers,OU=Branch,DC=waw,DC=local’ -Filter * | ? {$_.DistinguishedName -notlike '*OU=Groups,OU=Boston*'} | % {Add-ADGroupMember ‘Workstations-WSUS’ -Members $_.DistinguishedName }
Wednesday, February 26, 2014 11:42 PM
Thank you so much, both of you.
Anthony That worked perfect thank you! Can you let me know what I would change if I wanted to exclude 2 ous, would I just add them right in the same notlike *OU=Groups,OU=Mobile Devices,OU=Boston*