Recently I wanted to target a GPO to a group of computers that were in a Collection, so I thought it would be the easiest to sync the membership of a CM Collection to an AD Group.
This has worked great in my lab, but I haven’t tested at large scale.
Script on GitHub
The meat of the script:
$ADComputerObject = @()
$CMDevices = Get-CMDevice -Fast -CollectionId $CollectionID
ForEach ($CMDevice in $CMDevices){
$ADComputerObject += Get-ADComputer -Identity $CMDevice.name
}
Add-ADGroupMember -Identity $ADGroup -Members $ADComputerObject
So we’re grabbing the Devices in the Collections:
$CMDevices = Get-CMDevice -Fast -CollectionId $CollectionID
Then converting that data into something AD Groups can consume by running each CM Devices through the Get-ADComputer command and placing into an Array.
ForEach ($CMDevice in $CMDevices){ $ADComputerObject += Get-ADComputer -Identity $CMDevice.name }
Once we have all that information, we add that array of information into an AD Group
Add-ADGroupMember -Identity $ADGroup -Members $ADComputerObject
Just remember, who ever is running the script needs to have rights in both CM & AD.
I’m using a group managed service account and a scheduled task to keep the AD Group in Sync with the Query based Collection.
Posted on GARYTOWN.COM
Could this same process be used for Users, instead of Devices?