I hope I can explain myself well 🙂
I'm trying to create a script that will allow me to create AD computer name in a specific OU, and then add a Security group to this computer, under the "security" tab, so only few people would be able to add this computer into the domain. The problem is I only manage to add the computer to a group, and not to give the group premisions over it.
Where it says "insert path here" I put the AD path, but I can't write it here, because it's classified
The script:
Import-Module ActiveDirectory
New-ADComputer -Name "test1" -SamAccountName "test1" -Path "insert path here"
Add-Acl -Name "test1998" -Path "insert path here"
Any thoughts?
Best Answer
Adding the computer to a group does not grant the group any special permissions to the computer. It would only grant the computer access to items where that group appears in the ACL. To grant access to the computer, you need to modify the ACL of the computer object. The best practice and more common method is to use the delegation of control wizard GUI to grant those permissions to the OU where the computer object resides. You can also delegate to an OU from the command line as described here: Is it possible to add permissions to an Active Directory account using PowerShell?
It sounds like you want to do it individually on a per computer basis? This is more labor intensive, and goes against best practices. If you really want to go that way, you can set those permissions via the GUI when you create the account with the "can join this computer" field, or handle it programatically as described in this post: https://stackoverflow.com/questions/29037519/set-following-user-or-group-can-join-to-domain-permissions-on-computer-object