There are many scenarios where there is a need to add a computer to an AD-group during deployment, for instance to enable the computer to use a wireless network or adding the computer to a application group. I created this little script which can be run for instance from a task sequence in SCCM, which will do the task.
It will add the computer on which the script is executed on to all AD-groups specified in the command line, “wscript.exe adgroups.vbs adgroup1 adgroup2”.
I normally run it using the “run command line” using a service account with the appropriate permissions needed, below is a screenshot on how such a step could look like.
And the script used is posted below, check the script after copying for unwanted line-feeds or you can download it here:
Here is how to implement it:
- Download the script from the link above
- Save it as adgroup.vbs in a directory that can be used as package source files in ConfigMgr
- Create a package without a program and use the newly created folder as source folder
- Distribute the Package to your DP’s
- In the Task Seqeunce after the “Setup Windows and Configuration Manager” step add a “Run Command Line step” (The reason for adding somewhere in the TS after that step is that the script uses the computer account of the computer it is run on the find it in the AD)
- Configure the Run Command line to execute the script using the following command line: “Wscript.exe adgroup.vbs” after the script name add the AD groups names that the computer should be added to, you can enter as many groups as you like. Example “Wscript.exe adgroup.vbs APP_Adobe_reader APP_Java_runtime”.
- Use a account to run the script under that has permissions to manage the group memberships.
- then you are ready to test it.
The script can be found here as well:
Const ADS_PROPERTY_APPEND = 3
Set WshShell = WScript.CreateObject("WScript.Shell")
'----Get Computer DN------
Set objADSysInfo = CreateObject("ADSystemInfo")
ComputerDN = objADSysInfo.ComputerName
strcomputerdn = "LDAP://" & computerDN
Set objADSysInfo = Nothing
'----Connect AD-----
Set oRoot = GetObject("LDAP://rootDSE")
strDomainPath = oRoot.Get("defaultNamingContext")
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Provider = "ADsDSOObject"
oConnection.Open "Active Directory Provider"
'-----Read commandline---
Set args = WScript.Arguments
For i = 0 To Args.Count - 1
'wscript.echo Args.Item( i )
addgroup Args.Item( i )
next
Function Addgroup(groupname)
'----Get Group DN------
Set oRs = oConnection.Execute("SELECT adspath FROM 'LDAP://" & strDomainPath & "'" & "WHERE objectCategory='group' AND " & "Name='" & GroupName & "'")
If Not oRs.EOF Then
strAdsPath = oRs("adspath")
End If
Set objGroup = GetObject (stradspath)
Set objComputer = GetObject (strComputerDN)
If (objGroup.IsMember(objComputer.AdsPath) = False) Then
objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(computerdn)
objGroup.SetInfo
End If
End Function
Const ADS_PROPERTY_APPEND = 3
Set WshShell = WScript.CreateObject("WScript.Shell")
'----Get Computer DN------
Set objADSysInfo = CreateObject("ADSystemInfo")
ComputerDN = objADSysInfo.ComputerName
strcomputerdn = "LDAP://" & computerDN
Set objADSysInfo = Nothing
'----Connect AD-----
Set oRoot = GetObject("LDAP://rootDSE")
strDomainPath = oRoot.Get("defaultNamingContext")
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Provider = "ADsDSOObject"
oConnection.Open "Active Directory Provider"
'-----Read commandline---
Set args = WScript.Arguments
For i = 0 To Args.Count - 1
addgroup Args.Item( i )
next
Function Addgroup(groupname)
'----Get Group DN------
Set oRs = oConnection.Execute("SELECT adspath FROM 'LDAP://" & strDomainPath & "'" & "WHERE objectCategory='group' AND " & "Name='" & GroupName & "'")
If Not oRs.EOF Then
strAdsPath = oRs("adspath")
End If
Set objGroup = GetObject (stradspath)
Set objComputer = GetObject (strComputerDN)
If (objGroup.IsMember(objComputer.AdsPath) = False) Then
objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(computerdn)
objGroup.SetInfo
End If
End Function
Härligt att komma till din blogg på tredje träffen efter google sökning på “script add computer to group sccm” 😉
Detta löste min dag!
You can add a remove function to this as well:
Function RemoveGroup(groupname)
‘—-Get Group DN——
Set oRs = oConnection.Execute(“SELECT adspath FROM ‘LDAP://” & strDomainPath & “‘” & “WHERE objectCategory=’group’ AND ” & “Name='” & GroupName & “‘”)
If Not oRs.EOF Then
strAdsPath = oRs(“adspath”)
End If
Set objGroup = GetObject (stradspath)
Set objComputer = GetObject (strComputerDN)
If (objGroup.IsMember(objComputer.AdsPath) = True) Then
objGroup.PutEx ADS_PROPERTY_DELETE, “member”, Array(computerdn)
objGroup.SetInfo
End If
End Function
Great addition Mathias I will update the script and the post, thanks for the feedback!
/Jörgen
Hi Jorgen, when using the script within a task sequence and providing an MDT variable as the the parameter eg adgroup.vbs %MemberSecGroup% and your Security Group Names have spaces eg ITR PRNT BLD4, should you enclose these Names in ” quotation marks ” to avoid the space delimeter, or better still, can I use comma seperated names and modify the script sloghtly to parse the arguments with the delimiting comma? How would this be achieved as I am not a scripting guru. Cheers Ralph
Did you figure this out Ralph? I have the same exact issue
Hey, thanks for the great script, i just wanted to add that in one environment we needed to add computer to group during a migration to different domain (we had all machine accounts pre-staged in a specific OU)
so we ran this task on the source domain pcs and using %computername% we ran this script to add “cn=%computername%,(new domain and ou DN)” to a group in new domain
using a task that runs from SCCM.
it’s pretty raw, i just modified the script to accept 3 arguments and it will add only one group each run(in order):
Const ADS_PROPERTY_APPEND = 3
Set WshShell = WScript.CreateObject(“WScript.Shell”)
‘—–Read commandline—
Set args = WScript.Arguments
arg1 = args.Item(0)
‘wscript.echo arg1
arg2 = args.Item(1)
‘wscript.echo arg2
arg3 = args.Item(2)
‘wscript.echo arg3
‘—-Get Computer DN——
Set objADSysInfo = CreateObject(“ADSystemInfo”)
ComputerDN = arg1
‘wscript.echo ComputerDN
strcomputerdn = “LDAP://” & computerDN
‘wscript.echo strcomputerdn
Set objADSysInfo = Nothing
‘—-Connect AD—–
Set oRoot = GetObject(“GC://rootDSE”)
‘strDomainPath = oRoot.Get(“defaultNamingContext”)
strDomainPath = arg3
‘wscript.echo strDomainPath
Set oConnection = CreateObject(“ADODB.Connection”)
oConnection.Provider = “ADsDSOObject”
oConnection.Open “Active Directory Provider”
addgroup arg2
Function Addgroup(groupname)
‘—-Get Group DN——
Set oRs = oConnection.Execute(“SELECT adspath FROM ‘LDAP://” & strDomainPath & “‘” & “WHERE objectCategory=’group’ AND ” & “Name='” & GroupName & “‘”)
If Not oRs.EOF Then
strAdsPath = oRs(“adspath”)
End If
Set objGroup = GetObject (stradspath)
Set objComputer = GetObject (strComputerDN)
‘wscript.echo objComputer
‘wscript.echo objGroup
If (objGroup.IsMember(objComputer.AdsPath) = False) Then
objGroup.PutEx ADS_PROPERTY_APPEND, “member”, Array(computerdn)
objGroup.SetInfo
End If
End Function
Grazie 1000, Thanksssssssssssssssss!!!!!!!!!!!!!!!!!!!!!!!!!!!
Did not work for me
error comes “Operating system exited with return code 1” “incorrect function”
In regards to Mathias remove fix, you need to change the constant at the top of the script from
Const ADS_PROPERTY_APPEND = 3
to
Const ADS_PROPERTY_DELETE = 4
or the
objGroup.PutEx ADS_PROPERTY_DELETE, “member”, Array(computerdn)
line will return an error.
Thank you. This script is what I was looking for.
Is there a way to feed the security groups into the script based upon the software that was selected in the MDT install applications page? I understand I will need to translate the applications selected into the corrasponding security groups.
I am using MDT 2012 andSCCM 2007. We support 1000 applications.
I am in charge of moving the build team away from Ghost and onto these tools.
I can create unique task sequences for the major “roles” but we will always have machines that need unique combonations of software.
I know MDT generates a couple of lists I could parse. The OSDSetupWizard.log contains a lot of info that is useful, but I imagine would be complicated to parse.
%temp%\AppDiscoveryresult.xml.app might be another possibility.
Thanks in advance
Dan
You should be able to do that in VBS, using the “Microsoft.SMS.TSEnvironment object. Parse your application task sequence variables into an array, then loop through the array looking for the SCCM Package ID/Program in question, calling the AddGroup function when you hit the one(s) you’re looking for.
Hope the idea is helpful.
Joe
Why are so many geeks really poor at creating a “how to” on anything. They always assume some kind of knowlwedge on a particluar area and leave out details for anyone new.
Above is a VBS script and a screen shot of I assume the (Add) Run Command Line from SCCM task sequence editor.
Is there anything I need to do to the script? How does it know what AD group I am after?
For someone who hates and cares not for scripting then it is not so obvious as to what needs to be done. I am more of a network guy but i often get stuck with working these things out.
Do I save your attached script and then edit (what do i edit?) and save as wsript.vbs? Then package that up – and then do EXACTLY as per the above the screen shot – and I should be good to go – yes?
Advice to geeks. Stop copying Microsoft and try to make your how to guides usefull to all levels of experience.
Nothing personal – thanks for the post.
Hi,
I will rewrite it tomorrow, I agree with your comments above, I normally include a how to implement it section but in this case I was sloppy I. I will update it tomorrow, thanks for the pointer.
Regards,
Jörgen
I have updated the post I hope it is more easy to understand.
Regards,
Jörgen
Great info Jörgen, appreciate it.
Just one Question, if I put the adgroup.vbs script in the MDTpackage\scripts folder and call it in a similar way to your example, but I use this commandline and don’t specify a package instead:
cscript %SCRIPTROOT%\adgroup.vbs “_computersgroup”
The result is that the step fails with “Operating system exited with return code 1″ “incorrect function”
If i set it up exactly as in your example it works, but I can’t see any reason why my method should’t work? %SCRIPTROOT% resolves fine and the script is indeed started, but fails.
Thank you.
I can’t seem to get this script to work in my task sequence with installing Applications and Packages. We are using MDT and the UDI wizard. Got any ideas?
I am trying to use this script with MDT2012. The script itself works just fine as long as I have a group with a name without spaces. The trouble is we have a fair number of groups with spaces in the name. Is there a way to overcome this without having to change the name of the groups to remove the spaces? Thank you for your help!
Wade
Hi, have you tried just putting quotes around the names?
Hello,
I am getting the same error as some users above, it works fine when I run the vbs script from a normal command line and pass the security group names at command line
but via task sequence, I have put it in the correct location according to the insstructions but it fails with.
Operating system exited with return code 1″ “incorrect function”
any help would be much appreciated
Hello,
I have the same error and I don’t know how to resolve this error:
Error Milestone T01 12/02/2014 17:13:08 MININT-INVPVHP Task Sequence Manager 11170 The task sequence manager could not successfully complete execution of the task sequence. A failure exit code of 16389 was returned.
Error Milestone T01 12/02/2014 16:57:55 MININT-INVPVHP Task Sequence Engine 11141 The task sequence execution engine failed execution of a task sequence. The operating system reported error 1: Incorrect function.
Error Milestone T01 12/02/2014 16:57:54 MININT-INVPVHP Task Sequence Engine 11135 The task sequence execution engine failed executing the action (Add to different AD Groups) in the group (Setup Operating System) with the error code 1 Action output: ” Successfully connected to “\\server\SMSPKGD$\T01002A0” Succeeded loading resource DLL ‘C:\Windows\system32\CCM\1033\TSRES.DLL’ Entering ReleaseSource() for \\server\SMSPKGD$\T01002A0reference count 1 for the source\\server\SMSPKGD$\T01002A0\ before releasing Released the resolved source \\server\SMSPKGD$\T01002A0Content successfully downloaded at C:\_SMSTaskSequence\Packages\T01002A0 Resolved source to ‘C:\_SMSTaskSequence\Packages\T01002A0’ Command line for extension .exe is “%1” %* Set command line: Run command line Working dir ‘C:\intel’ Executing command line: Run command line Process completed with exit code 1 Command line returned 1 Entering ReleaseSource() for C:\_SMSTaskSequence\Packages\T01002A0 reference count 1 for the source C:\_SMSTaskSequence\Packages\T01002A0 before releasing Delete source directory C:\_SMSTaskSequence\Packages\T01002A0 Released the resolved source C:\_SMSTaskSequence\Packages\T01002A0. The operating system reported error 1: Incorrect function.
Any help would be appreciated
Thanks,
Jan
Hi Jörgen,
I would appreciate if you could help me out with a problem.
I’m using your script and it’s working like a charm. So thanks for that!
Now on to my problem.
I’m responsible for a couple of schools and want to use your script to assign computers to different AD groups to deploy printers.
I would like to have a user input during the task sequence where the user will choose the school they’re at, so that the correct printers will be deployed to the computers during a reinstall.
For example if a user belongs to school1, the should type school1 and so on, to recieve the correct printers.
Do you have any suggestions to solve this?
Regards
Danne
Hi,
Sorry for the late answer you can do it using a Colleciton variable with an empty value then they will be prompted during installation, howwever you can not have any input validation or dropdown list so perhaps and MDT UDI deployment could be an option?
/Jörgen
Hi, what is your process for deployment, MDT or MECM? Either way, a UDI should suffice to do this, you will just need to build variables into them. Create the step in the TS then under options for the TS, select the variable option and set it to the use whatever you set in the UDI. One thing to keep in the mind, when you do this in the UDI, set the variables with a default of false. See if using the steps here helps https://buckingthesystemcenter.wordpress.com/2015/05/19/how-to-have-a-working-udi-applications-page-with-stand-alone-media/
I kept getting weird errors. The errors always referenced the last line of the code and said stuff like “missing ‘;'” operator, unterminated entity reference etc.
I tried many things but in the end I had to save the script as .vbs instead of .wsf and then it worked
I’m working on using this script as part of our deployment process. The script works fine with a Domain Admin account but not with my deployment account. Can anyone tell me the permissions I would need to Delegate in the computer’s OU in order to allow my user account to be able to add a computer object to a security group?
Thanks
Hi Jörgen
Looks like this vb script stops working from CM 1610. Old problem described in blogpost bellow seems to be back. Traced problem down and ConfigMgrClient installation sets “HKLM\Software\Microsoft\COM3\REGDBVersion” to hex:05,00,00,00,00,00,00,00
https://blogs.technet.microsoft.com/deploymentguys/2012/04/24/run-command-line-as-domain-user-incorrect-function-error/
Is this something you noticed as well?
I realise this is a long shot, but the comment by Kjell is the only recent mention of this I have been able to find so far.
What I am seeing is that installing Office 365 C2R on Windows 10 1607 is changing this key to 05 00 00.
Installing Office on Windows 10 1511, does not give me this issue. I have put in a workaround for this, but it seems highly strange.
We are also currently on CM 1610.
Same issue. O365 C2R 2016. Win10 1703.
any way to get this to work with ADgroups with a space in their names?
Just add “” in the ad group name, for example, wscript.exe ADGroup.vbs “AD Group”
Anyone find out why the “incorrect function” error is occuring?
I applied the reg change and still no luck.
Also receiving “incorrect function” error…
Copied settings as listed above…
Permissions are fine and runs successfully outside TS…
Thanks for this script! It works great on SCCM 1806 when trying to add the device to one AD group, even using “” when AD group has spaces. However, adding more than one AD group doesn’t seem to work.
Hi,
Why not try out the Powershell script I wrote a couple of months ago, I have tested that and it works just great with multiple groups with ” ” in them.
Regards,
Jörgen