Tag Archives: active directory

Powershell: Create SCCM 2012 Collections Based on Active Directory Security Group

This script will significantly decrease the length of time taken to create device collections in SCCM. I created this script for a college where I deployed SCCM 2012, it allowed the college to mass create the device collections required for their environment.

First of all we will need to import the SCCM Powershell Module as shown below.
Note the SMSSITECODE variable will be your 3 letter SCCM Site Code and the location of the Module will need to match the installation path of SCCM.

Import-Module "C:\Program Files\Microsoft Configuration Manager\AdminConsole\bin\ConfigurationManager.psd1" -Verbose
cd SMSSITECODE:

There are two parts to this script, the first is the command to create the new device collection (New-CMDeviceCollection) with its given parameters. The second is to add a query membership rule which will specify how the collection is populated (Add-CMDeviceCollectionQueryMembershipRule)

The RefreshType parameter in the example has been set to ‘Both’, this ensures the device collection is populated on the schedule which has been specified and it also uses the Incremental Updates setting of SCCM 2012 to ensure newly added devices in between the schedule are also added. The alternative options for this are ‘ConstantUpdate’, ‘Periodic’ or ‘Manual’.

The script below requires the following parameters in order to run:

  • Schedule Date: In the format of DD/MM/YYYY H:MM AM/PM
  • Schedule Day: Day of the week schedule will begin
  • Limiting Collection
  • Collection Name
  • Security Group Name: In the format of DOMAIN\\SecurityGroupName
#**************************************************************************
#      THE FOLLOWING SCRIPT WILL CREATE A COLLECTION BASED ON AN
#      ACTIVE DIRECTORY SECURITY GROUP
#**************************************************************************
#
#*******************PARAMETERS**********************#
#
#ENTER COLLECTION SCHEDULE DATE#
$ScheduleDate = "16/10/2014 9:00 PM"
$ScheduleDay = "Thursday"
#
$Schedule1 = New-CMSchedule -Start $ScheduleDate -DayOfWeek $ScheduleDay -RecurCount 1
$LimitingCollection = 'All Systems'
#
#ENTER NAME OF COLLECTION#
$CollectionName = "COLLECTION_NAME"
#
#ENTER NAME OF ACTIVE DIRECTORY SECURITY GROUP#
$SecurityGroupName = "DOMAIN\\SECURITY GROUP NAME"
#
#***********END PARAMETERS*********************
#
#*****DO NOT EDIT THE FOLLOWING SECTIONS********
#
#***NAME OF QUERY RULE WILL MATCH COLLECTION NAME#
#
$QueryRuleName = $CollectionName

$SecurityGroupQuery = "select *  from  SMS_R_System where SMS_R_System.SystemGroupName = '$SecurityGroupName' "

New-CMDeviceCollection -Name $CollectionName -LimitingCollectionName $LimitingCollection -RefreshSchedule $Schedule1 -RefreshType Both

Add-CMDeviceCollectionQueryMembershipRule -CollectionName $CollectionName -QueryExpression $SecurityGroupQuery -RuleName $QueryRuleName

I am working on an improvement to this script, which will allow you to choose from multiple queries to form the membership rule. Once complete I will post the complete script up on here.

Powershell: Active Directory – Set Change Password at Logon for all Users

When faced with a situation where you have an OU full of users who need to be forced to change password at logon your first option may instinctively be the GUI – Active Directory Users and Computer. This may seem a lot easier than powershell as you only need to highlight all the users, select properties and set the checkbox and there you have it.

However, if you needed to reverse the situation, you are not able to use the same procedure to select the checkbox for all users. This is where powershell saves the day. Here are the steps you need to take:

First things first, Launch a Powershell Window with the Active Directory module

Next, we need to get a list of Active Directory users that match our parameters, for this we will use the Get-ADUser cmdlet with a filter for all users in the OU called Users in my domain.

Get-ADUser -Filter * -SearchBase "OU=Users,DC=justinfra,DC=co,DC=uk

The next step would be to use the | (pipe key) to pipe the results from that search and set the properties for each user account. A quick reference from TechNet Library for the Get-ADUser cmdlet will list -changepasswordatlogon as an available parameter. So we would need to use a foreach-object command to set this property. Here is the full powershell command:

Get-ADUser -Filter * -SearchBase "OU=Users,DC=justinfrastructure,DC=co,DC=uk" | foreach-object {set-aduser $_.SamAccountName -changepasswordatlogon 0 }