Add Computer to AD Group Script

I got this script from Microsoft that adds a computer as a member to a security group in Active Directory. As we want to automate everything, this script can be very useful during deployment. A typical scenario can be to enable the computer for Direct Access or wireless network.

Click the title to read the full post

Instructions for use with Microsoft Deployment Toolkit / SCCM

  1. Copy the script into your deploymentshare\scripts
  2. In task sequence, add “run command line”
  3. In the command line, add Cscript.exe %SCRIPTROOT%\AddGroup.vbs  Group1 Group2 Group3
  4. Run it with an account that has the neccesary permissions to add members to the ad group

addgroup1

addgroup2

Add Computer to AD Group Script

Script: AddGroup.wsf

Const ADS_PROPERTY_APPEND = 3
Set WshShell = WScript.CreateObject("WScript.Shell")
'----Get Computer DN------

Set objADSysInfo = CreateObject("ADSystemInfo")
ComputerDN = objADSysInfo.ComputerName
strcomputerdn = "LDAP://" & computerDN
Set objADSysInfo = Nothing

'----Connect AD-----

Set oRoot = GetObject("LDAP://rootDSE")
strDomainPath = oRoot.Get("defaultNamingContext")
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Provider = "ADsDSOObject"
oConnection.Open "Active Directory Provider"

Count = WScript.Arguments.Count
For i = 0 To  count-1  	
	Group = WScript.Arguments(i)
	Addgroup Group
Next 

'----Get Group DN------
Function Addgroup(groupname)
	Set oRs = oConnection.Execute("SELECT adspath FROM 'LDAP://" & strDomainPath & "'" & "WHERE objectCategory='group' AND " & "Name='" & GroupName & "'")
	If Not oRs.EOF Then
		strAdsPath = oRs("adspath")
	End If
	If IsEmpty(strAdsPath) = False  Then 
		Const ADS_SECURE_AUTHENTICATION = 1
		Set objGroup = GetObject(stradspath) 
		Set objComputer = GetObject(strComputerDN)
		If (objGroup.IsMember(objComputer.AdsPath) = False) Then
			objGroup.PutEx ADS_PROPERTY_APPEND, "member", Array(computerdn)
			objGroup.SetInfo
		End If
	End If 
End Function

Anders Rødland

Anders Rødland started his IT career in 2006. My main focus is MS Configuration Manager and client management, and I have passed 17 Microsoft certifications since then. My main expertise is on client management with Microsoft Endpoint Manager: Intune and Configuration Manager. I also do a lot of work on the security side with Microsoft Defender for Endpoint. In addition to my Microsoft certification, I also have an ITIL v3 Foundation certification. This is my private blog and do not represent my employer. I use this to share information that I find useful. Sharing is caring.

One thought to “Add Computer to AD Group Script”

  1. Hi there, I can’t get this script to work under MDT 2013 Update 2. My Run Command Line in TS looks like this cscript.exe %SCRIPTROOT%addgroup.vbs Direct Access with

    Run this step as the following account and Load user’s profile checked. No errors is produced during deploy. Same if I try run it manually.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.