09 June 2016 ~ 0 Comments

Seljenje computers objekata u odgovarajući OU

Nadam se da…

… računalne objekte u Active Directory infrastrukturi ne držite u “Computers” OU. Ako da, vrijeme je da promijenite praksu. Jedna od osnovnih preporuka za Active Directory je da se u inicijalnim OU-ovima ne drže objekti organizacije. Dakle, svaki objekt koji se pojavi u OU Computers trebalo bi preseliti u odgovarajući OU. Jedan od načina je da se napravi konfiguracija samog Active Direcotrya da se objekti ne kreiraju u Computers OU već u nekom korisnički definiranom. Nedostatak navedenog je da se onda svi objekti kreiraju na toj lokaciji. A pretpostavljam da nemate iste setove GPO-a (Group Policy) za sve tipove objekata (poslužitelji, desktop, laptop, itd.). Ako je organizacija manja onda ručno seljenje objekata nije problem, međutim u većim organizacijama ručno seljenje objekata zahtijeva puno ručnog posla a repetitavan posao je zamoran i vrlo brzo vodi do greške.

Move-ComputersToOu.ps1

Zbog gore navedenog problema kreirao sam cmdlet (i dodao u Scheduled Tasks) koji radi dvije funkcije:

  • dodaje računalo u grupu (zbog deploya printera GPO-om prema Security filteringu za tu grupu)
  • seli računalni objekt iz OU=Computers u odgovarajući OU (ako naziv računala završava sa “D” onda se seli u OU=Desktops,OU=Workstations, itd)

Kako bi cmdlet ispravno radio, potrebne su manje izmjene

  • ako su u vašoj organizaciji drugačija pravila nazivanja računala potrebno je izmijeniti linije 151, 163 i 175 te varijable na linijama 20, 21 i 22
  • ako nemate potrebe dodavati računalni objekt u grupu komentirajte linije 131 do 148
# Settings
$newLine = [Environment]::NewLine
$scriptName = $MyInvocation.MyCommand.Name
$scriptPath = Split-Path -Parent $MyInvocation.MyCommand.Path
[int]$counter = 1
[int]$counterMax = 1
[int]$percent = 1

# Log settings
$logPath = "D:\Scripts\PowerShell\Logs"
$logDate = Get-Date -Format yyyy-MM-dd-HH-mm
$logName = "$scriptName-$logDate.log"
$logSource = "SBHR-PowerShell"

# Variables
$computers = $null
$computer = $null
$computerName = $null
$computerType = $null
$ouDesktops = "OU=Desktops,OU=Workstations,DC=sberbank,DC=hr"
$ouThins = "OU=Thins,OU=Workstations,DC=sberbank,DC=hr"
$ouLaptops = "OU=Laptops,OU=Workstations,DC=sberbank,DC=hr"

# Save data to log file
function Save-Log([string]$inputText, [switch]$fileLog, [switch]$eventLog)
{
    $logMessage = "$(Get-Date -Format "dd.MM.yyyy HH:mm") - $inputText"

    if($fileLog)
    {
        # Create folder if missing
        if((Test-Path $logPath) -eq $false)
        {
            try
            {
                New-Item -Path $logPath -ItemType Directory -ErrorAction Stop
            }
            catch
            {
                Write-Host "[ERROR] - Failed to create log folder - $logPath" -ForegroundColor Red 
            }#end try
        }#end if

        $logMessage | Out-File "$logPath\$logName" -Append
    }#end if

    if($eventLog)
    {
        # Create Event Log Source
        try
        {
            New-EventLog -LogName Application -Source $logSource -ErrorAction Stop
        }
        catch
        {
            #Write-Host "Error creating Event Log Source - $($Error[0])" -ForegroundColor Red
        }#end try

        $inputText = "$scriptName${NewLine}$inputText"

        if($inputText.ToLower().Contains("info")) # Info
        {
            Write-EventLog -LogName Application -Source $logSource -EntryType Information -EventId 26062 -Message $inputText
        }
        elseif($inputText.ToLower().Contains("warning")) # Warning
        {
            Write-EventLog -LogName Application -Source $logSource -EntryType Warning -EventId 26063 -Message $inputText
        }
        elseif($inputText.ToLower().Contains("error")) # Error
        {
            Write-EventLog -LogName Application -Source $logSource -EntryType Error -EventId 26064 -Message $inputText
        }
        elseif($inputText.ToLower().Contains("start")) # Script start
        {
            Write-EventLog -LogName Application -Source $logSource -EntryType Information -EventId 26061 -Message $inputText
        }
        elseif($inputText.ToLower().Contains("end")) # Script ended
        {
            Write-EventLog -LogName Application -Source $logSource -EntryType Information -EventId 26065 -Message $inputText
        }
        else
        {
            Write-EventLog -LogName Application -Source $logSource -EntryType Information -EventId 26062 -Message $inputText
        }#end if
    }
}#end function

# Write text to console
function Write-ToConsole ([string]$inputText)
{
    if($inputText.ToLower().Contains("info")) # Info
    {
        Write-Host $inputText -ForegroundColor Green
    }
    elseif($inputText.ToLower().Contains("warning")) # Warning
    {
        Write-Host $inputText -ForegroundColor Yellow
    }
    elseif($inputText.ToLower().Contains("error")) # Error
    {
        Write-Host $inputText -ForegroundColor Red
    }
    else 
    {
        Write-Host $inputText -ForegroundColor Gray
    }#end if
}#end function

Save-Log -inputText "[START] - $scriptName starting" -eventLog

try
{
    $computers = $null
    $computers = Get-ADComputer -Filter * -SearchBase "CN=Computers,DC=sberbank,DC=hr" -ErrorAction Stop
}
catch
{
    $computers = $null
}#end try

if ($computers -ne $null)
{
    foreach($computer in $computers)
    {
        $computerName = $computer.Name

        # Get computer type (last letter, D for desktop, P for portable - laptop) 
        $computerType = $computerName.Substring(($computerName.Length - 1), 1)

        # Add computer to printer deployment group (desktops and laptops)
        if(($computerType -eq "D") -or ($computerType -eq "P"))
        {
            $kod = $computerName.Substring(0, 4)

            $groupName = "HR_GRP_Printers_"
            $groupName += $kod
            $groupName += "xxxL"

            try
            {
                Add-ADGroupMember -Identity $groupName -Members $computer -ErrorAction Stop
                Save-Log -inputText "[INFO] Added $computerName to $groupName group for printer deployment" -eventLog
            }
            catch
            {
                Save-Log -inputText "[WARNING] - Failed to add $computerName to $groupName group for printer deployment" -eventLog
            }#end try
        }#end if

        # Move computer to propper OU
        if($computerType -eq "D")
        {
            try
            {
                Move-ADObject -Identity $computer -TargetPath $ouDesktops -ErrorAction Stop
                Save-Log -inputText "[INFO] - Moved $computerName to $ouDesktops" -eventLog
            }
            catch
            {
                Save-Log -inputText "[WARNING] - Failed to move $computerName to $ouDesktops" -eventLog
            }#end try
        }
        elseif($computerType -eq "P")
        {
            try
            {
                Move-ADObject -Identity $computer -TargetPath $ouLaptops -ErrorAction Stop
                Save-Log -inputText "[INFO] - Moved $computerName to $ouLaptops" -eventLog
            }
            catch
            {
                Save-Log -inputText "[WARNING] - Failed to move $computerName to $ouLaptops" -eventLog
            }#end try
        }
        elseif($computerType -eq "T")
        {
            try
            {
                Move-ADObject -Identity $computer -TargetPath $ouThins -ErrorAction Stop
                Save-Log -inputText "[INFO] - Moved $computerName to $ouThins" -eventLog
            }
            catch
            {
                Save-Log -inputText "[WARNING] - Failed to move $computerName to $ouThins" -eventLog
            }
        }
        else
        {
            Save-Log -inputText "[WARNING] - Cannot move $computerName to propper OU" -eventLog
        }#end if
    }#end foreach
}#end if
Save-Log -inputText "[END] - $scriptName ended sucessfully" -eventLog

Preuzimanje

Cmdlet je dostupan za preuzimanje na:

Tags: , ,

Leave a Reply