Login

u/Flubbip

▲ 4 r/PowerShell

New-ADcomputer and Add-ADGroupMember: Adding an object to a group mid-creation

Trying to make a simple script to add and remove lists of computers. Creating the computer isn't an issue, it's the adding the computer to a group that is.

When manually adding a computer to AD, while still in the creation GUI, we add it to a group that allows any admin account to add it to a domain, not just the admin that created it. When you try adding it to that group once the object is already created, it will give you an error mentioning that you don't have permissions to modify that group you selected.

Now, I don't have access to the exact code since that's at work, but it's pretty simple as I am just trying to get a working concept before I make it into a proper script, therefore I will summarize the code.

  New-ADComputer -Name "$computerName" -Path "$computerName + OU path"

This works just fine. It makes the computer with the right name, in the right place.

  New-ADComputer -Name "$computerName" -Path "$computerName + OU path"
  Add-ADGroupMember -Identity "groupName" -Members "$computerName"

This makes the computer but doesn't add it to the group, since if anyone tries to add it after the creation, permission denied. 

  New-ADComputer -Name "$computerName" -Path "$computerName + OU path" |
  Add-ADGroupMember -Identity "groupName" -Members "$computerName"

This does not return an error, but when checking the computer, it isn't in the group.

I also tried -passThru on the New-ADComputer side but gives me a pipeline error.

(also tried a few other things but again, don't have access to it at home, but if needed I can get it)

From what I am seeing, when using the AD module, there isn't a way to add a computer to a group while creating the computer, since creation and adding are different cmndlets. The creation will ALWAYS have to run before adding, not during, otherwise there isn't a target for the Add-ADGroupMember, meaning it would return object doesn't exist.

My question is, is this 100% right? Is there no way to mimic the process of adding the computer to a group while creating said computer, in order to not require permissions for that group? Yes, I could try to acquire the rights for the group in question, but that might honestly be the most difficult course of action. And no, going around the permissions during the manual creation isn't "bad". It's built that way for some stupid reason and I don't have the pay to be able to change that.

reddit.com
u/Flubbip — 3 days ago