DeployHappiness | Category Archives: MDT

Duplicating Computer Group Membership and Moving a Computer to a New OU with PowerShell

Posted on February 25, 2019 by Joseph Moody

Here is a script that has turned out to be used a lot more often than I thought it would!

It copies group membership and OU location from an existing computer to a new computer. It can also delete the existing computer from AD. For us, it is mainly used when replacing a physical computer and makes the process a lot quicker after imaging completes.

Simply run the script, enter an old/source computer name, and enter a new computer name. No other configuration should be needed.

Import-Module ActiveDirectory

write-output "This script is only used on a single existing domain joined computer."
write-output "This script copies group membership between two computers. It can also move a new computer into the OU of another computer and delete an old computer account."
write-output ""

$SourceComputerInput = read-host "What is the source computer? (This computer is in groups already.)"
$DestinationComputerInput = read-host "What is the destination computer? (This computer needs to be added to groups.)"

$DestinationComputer = Get-ADComputer -Identity $DestinationComputerInput -Properties CanonicalName
$DestinationComputerCN = $DestinationComputer.CanonicalName

#Format CN and DN values for AD parameters
$InitialCN = (Get-ADComputer $SourceComputerInput -Properties CanonicalName).CanonicalName -Split ("/")
$ParentOU = $InitialCN&#91;0..$($InitialCN.Count - 2)] -Join "/"
$InitialDN = Get-ADComputer $SourceComputerInput -Properties DistinguishedName
$SourceComputer = Get-ADComputer $SourceComputerInput 
$SourceComputerOUasDN = ($InitialDN.distinguishedname) -replace ('^.*?,')

write-output ""
write-output "The source computer, $SourceComputerInput , is in $ParentOU"
write-output ""
$MoveComputer = Read-Host "Would you like to move the destination computer, $DestinationComputerInput , to $ParentOU ? Type Yes to move and press enter"


write-output ""
$DeleteSourceComputer = Read-Host "Would you like to delete the source computer account from AD? Type Yes to delete the source computer account."

$Groups = @()
$Groups = Get-ADComputer $SourceComputer -Properties MemberOf | Select-Object -ExpandProperty MemberOf | Sort-Object

write-output ""
write-output "The source computer, $SourceComputerInput , is in the following groups:"
Write-Output $Groups
write-output ""

write-output "The destination computer, $DestinationComputerInput , will be added to the groups listed above."
Pause

Foreach ($Group in $Groups) {
    Add-ADGroupMember $Group $DestinationComputer -ErrorAction SilentlyContinue 
}
    If ($? -eq $true) {
        write-output "Group membership has been copied successfully."
    }

if ($MoveComputer -eq "Yes"){
    Move-ADObject -Identity $DestinationComputer.DistinguishedName -TargetPath "$SourceComputerOUasDN"
}
    If ($? -eq $true -and $MoveComputer -eq "Yes") {
        write-output "$DestinationComputerInput has been moved to $ParentOU."
    }

if ($DeleteSourceComputer -eq "Yes"){
    $SourceComputerAD = Get-ADComputer $SourceComputer |select -ExpandProperty SamAccountName
    if (($SourceComputerAD).count -eq 1){
        Remove-ADComputer -Identity $SourceComputerAD -Confirm:$false

        if ($? -eq $True){
            write-output "The Source Computer account has been deleted from AD"
        }
    }
}

Import-Module ActiveDirectory

write-output "This script is only used on a single existing domain joined computer."

write-output "This script copies group membership between two computers. It can also move a new computer into the OU of another computer and delete an old computer account."

write-output ""

$SourceComputerInput = read-host "What is the source computer? (This computer is in groups already.)"

$DestinationComputerInput = read-host "What is the destination computer? (This computer needs to be added to groups.)"

$DestinationComputer = Get-ADComputer -Identity $DestinationComputerInput -Properties CanonicalName

$DestinationComputerCN = $DestinationComputer.CanonicalName

#Format CN and DN values for AD parameters

$InitialCN = (Get-ADComputer $SourceComputerInput -Properties CanonicalName).CanonicalName -Split ("/")

$ParentOU = $InitialCN[0..$($InitialCN.Count - 2)] -Join "/"

$InitialDN = Get-ADComputer $SourceComputerInput -Properties DistinguishedName

$SourceComputer = Get-ADComputer $SourceComputerInput

$SourceComputerOUasDN = ($InitialDN.distinguishedname) -replace ('^.*?,')

write-output ""

write-output "The source computer, $SourceComputerInput , is in $ParentOU"

write-output ""

$MoveComputer = Read-Host "Would you like to move the destination computer, $DestinationComputerInput , to $ParentOU ? Type Yes to move and press enter"

write-output ""

$DeleteSourceComputer = Read-Host "Would you like to delete the source computer account from AD? Type Yes to delete the source computer account."

$Groups = @()

$Groups = Get-ADComputer $SourceComputer -Properties MemberOf | Select-Object -ExpandProperty MemberOf | Sort-Object

write-output ""

write-output "The source computer, $SourceComputerInput , is in the following groups:"

Write-Output $Groups

write-output ""

write-output "The destination computer, $DestinationComputerInput , will be added to the groups listed above."

Pause

Foreach ($Group in $Groups) {

Add-ADGroupMember $Group $DestinationComputer -ErrorAction SilentlyContinue

}

If ($? -eq $true) {

write-output "Group membership has been copied successfully."

}

if ($MoveComputer -eq "Yes"){

Move-ADObject -Identity $DestinationComputer.DistinguishedName -TargetPath "$SourceComputerOUasDN"

}

If ($? -eq $true -and $MoveComputer -eq "Yes") {

write-output "$DestinationComputerInput has been moved to $ParentOU."

}

if ($DeleteSourceComputer -eq "Yes"){

$SourceComputerAD = Get-ADComputer $SourceComputer |select -ExpandProperty SamAccountName

if (($SourceComputerAD).count -eq 1){

Remove-ADComputer -Identity $SourceComputerAD -Confirm:$false

if ($? -eq $True){

write-output "The Source Computer account has been deleted from AD"

}

A Universal Naming Scheme for Your Devices

Posted on February 18, 2019 by Joseph Moody

What makes a good naming scheme? It should be easy to use by both you and your users. It should generate unique names that are memorable and manageable. Finally, it should be flexible enough to solve multiple problems without needing updates often.

After seeing a recent question, I wanted to share a naming scheme that I’ve used. While nothing magical, it does fit each of the criteria from above and can be used as a starting point for all of your devices. This includes networked printers, projectors, babies, access points, displays, and more.

The real beauty is when you can walk into a room and know how to connect to nearly any device in the room. Need to mirror a display to that networked projector, or connect to a printer? Easy! Just follow a naming convention like this:

Site-RoomNumber/Name-(DevicePrefix)(DeviceNumber)

There is nothing radical here; the main thing is applying a consistent name across all of your networked devices. Let’s break down each component in this naming scheme and build a name along the way.

Site

A shortcode for each physical location. 2-4 characters long. Ideally, known by end users as well. If you prefer a logical organization or are just one site, this might be left off.

EX: GA

Separator

Use a dash between some components in the name. These show up if hyperlinks are ever needed (where some people overlook an underscore) and provide an easy way to sort data containing names as you have a built-in separator.

EX: GA-

RoomNumber/AbbreviatedName

Describes the exact room of the device. Due to legacy systems (mainly 15 character computer name lengths), keep any abbreviated names short. For sorting, be sure to place leading zeros in front of room numbers. If you have a hundred rooms, start the first room with 001 instead of just 1.

EX: GA-108-

Device Prefix

This tells you what the device is and allow you to find it just by name. One or two characters in length are perfect. Here is a table that can be used as an example:

NT	Node/Computer for teacher/admin
LT	Laptop for teacher/admin
NS	Node/Computer for student/general use
LS	Laptop for student/general use
PR	Printer, 3DPrinter, Copier, etc.
DP	Interactive Display, Touch Panel, etc.
PJ	Projector, short throw projector
SW	Switch, Mini-switch, router, etc.
AP	Access Point, Wireless
CA	Camera, IP Camera, etc.
TP	Telephone, VOIP handset, etc.

The device prefix allows every device in a room to have a unique name in DNS. It also solves a secondary problem for us. Our state requires an annual inventory of certain device types. We have to report the number of staff desktop, student desktops, staff laptops, student laptops, etc. A quick PowerShell query can tell us our device counts by use and location!

EX: GA-108-NS

Device Number

Finally, we have the number of devices in that room. Like our previous room number, be sure to add leading zeros. In most cases, this will just be a 2 digit number (01-99).

EX: GA-108-NS01

The final example tells us that this device is located at the GA location in room 108 and it is the first student computer that you come to in the room.

Final Thoughts on Naming

With a unified and universal naming convention, you can simplify management and make resources easier to access. PowerShell and other tools can make remotely naming devices a breeze while providing automatic checks on devices out of standard.

Finally, don’t get too caught up with creating a perfect naming scheme. Make a list of your sites, a list of rooms in those sites, and play with device prefixes. The most important thing is to find what works for your organization, to make it consistent, and to do the work of implementing it!

Let me know your naming convention, tricks for managing device names and how you make this process easier for your organization in the comments below.

Giveaway – Stealing with Pride, Vol. 1: Advanced OSD Customizations for MDT 2013 and ConfigMgr 2012 R2

Posted on December 20, 2014 by Joseph Moody

DeployHappiness just hit 1000 subscribers! To celebrate, all-around genius and deployment guru Johan Arwidmark has donated a copy of his latest book to one reader of this blog!

Stealing with Pride, Vol. 1: Advanced OSD Customizations for MDT 2013 and ConfigMgr 2012 R2 is the ultimate guide for customizing your environment and taking your OS deployment to a whole new level! It includes detailed instructions on numerous customizations and scripts that you can immediately use.

It makes the perfect companion to his previous book, Deployment Fundamentals, Vol. 5. This great resource includes step-by-step guides on setting up a completely automated deployment solution with MDT 2013.

But enough talking – let’s get to the giveaway:

Prize: A copy of Stealing with Pride, Vol. 1: Advanced OSD Customizations for MDT 2013 and ConfigMgr 2012 R2

How to Enter: Leave a short comment on this post related to OS deployment. Describe how you currently deploy, how you would like to deploy, an issue you have, etc. When submitting your comment, be sure to include your name and email. If you win, I need a way to contact you!

A random email will be selected (by using PowerShell) on Jan 6th 2015. The winning person will be contacted by email – their name will be added to this post.

And the Winner is: Brian Gladfelter (Tennessee, USA). Thanks to everyone who entered and a huge thank you to Johan for the book donation.

Automating Display Resolution Configuration in MDT

Posted on December 11, 2014 by Kyle Beckman

This is a guest post by Kyle Beckman of Trekker.net. Kyle works as a systems administrator in Higher Education near Atlanta, GA.

Whenever I’m deploying Operating Systems to computers using the Microsoft Deployment Toolkit (MDT), I always try to automate everything that can be automated. Any time I have to do something by hand, I’m using my time (that could possibly be spent on other things) and introducing the potential for human error.

Automatically Configure Screen Resolution

One of the quickest, easiest things you can automate in MDT is configuring screen resolution. By default, MDT automatically uses 1024×768 as the screen resolution for deployments. How many devices do you have that actually need that low of a screen resolution? I checked… I don’t have any physical devices that use a resolution that low.

To configure this setting during OS deployment, we can use the XResolution and YResolution settings in the CustomSettings.ini file located in $YourDeploymentShare\Control\CustomSettings.ini. Rather than setting these to typical screen resolutions, we can set them both to “1” so that Windows detects the screen resolution of the computer:

[Settings]

Priority=Default 

[Default] 

XResolution=1 
YResolution=1

[Settings]

Priority=Default

[Default]

XResolution=1

YResolution=1

Windows Experience Index

If you’re still deploying Windows 7 (and most of us still are), you also have to deal with Windows Aero and the Windows Experience Index. Most systems default to the Windows 7 Basic Theme at OS deploy time and need the Windows System Assessment to generate the Experience Index to enable Aero and the “glass” theme most people are used to using in Windows 7.

Fortunately, there’s a command line utility, winsat.exe, that we can use to run the Windows System Assessment during OS deploy time. I’ve tried running the “winsat formal” command several different ways; but, I’ve found that just using a simple batch file seems to consistently work the best for me.

First, we’ll need to create a text file named Generate_Windows_Experience_Index.bat with the following in it:

echo off winsat formal exit 0

Next, add this batch file as an application on your MDT server (hopefully you’ve done that before!). I also like to set the “Hide this application in the Deployment Wizard” since we’re going to have it run automatically when the OS deployment process runs.

Go to your Windows 7 Task Sequence and edit the Properties. Next, go to the State Restore section. Click Add > General > Install Application to add the script to the Task Sequence. Change the name field and set the “Install a single application” option. Click Browse and choose the Generate Windows Experience Index script application that you just created. Use the Up and Down buttons to place the application after the “Install Applications” task or in the “Custom Tasks” folder. When you’re done, it should look something like this:

During your Windows 7 Task Sequence, you should see a Command Prompt open and run the Windows System Assessment Tool to generate the Windows Experience Index:

If we check the Computer Properties after the OS deploy finishes, we should have a fully generated Windows Experience Index:

How to Remotely PXE Boot a Computer

Posted on June 3, 2014 by Joseph Moody

You have your MDT task sequence perfected! All of your machines are configured in the MDT database. When you boot a machine into MDT, it looks up its name and images without any prompts. If only you didn’t have to physically PXE boot the computer! If only you had a way to remotely PXE boot a computer…

Rethinking a PXE Boot

Your goal isn’t to PXE boot a computer; your goal is to set the onboard-NIC as the primary boot device. That small difference is so important! When a machine is online, changing the boot order this way will allow it to boot into a MDT task sequence the next time it starts up. This post will focus on remotely PXE booting a Dell computer. This same concept can be applied to any make/model that allows you to edit the boot order.

Your first step is to build a BIOS settings package that sets the onboard-NIC as the primary boot device. If you haven’t made a BIOS package yet, this guide covers the steps in detail. Download and install the Dell Client Configuration Toolkit. The download can be found here.

Launch the Client Configuration Toolkit, select Create Package, and choose Multi-Platform file. In the boot management section, double click on bootorder. Select View/Change – Edit – Add Device. Your first device should be the embedded NIC with a Device Instance of 0. The second device should be the Hard Disk with a Device Instance of 1.

Save the boot order and export the configuration as an EXE. If your machines contain a BIOS password, specify it now. Copy this EXE to a network share.

Running a Batch File Remotely

Now we need to create a batch file to execute this package on remote machines. We will be using the PSTools suite. A download can be found under the Desktop Management section here.

Copy the psexec and psshutdown tools to the root pf your local profile. Create a new batch file in the same folder. Paste in the following:

xcopy "\\SERVER\SHARE\Dell\forcepxe.exe" "\\%1\\C$\Users\Public\"
psexec \\%1 -u DOMAIN\USERNAME-p PASSWORD -h "C:\Users\Public\forcepxe.exe"

psshutdown.exe -r -t 60-c -m "This computer has been scheduled for a remote image. If you would like to delay this process, please select cancel" \\%1

pause

xcopy "\\SERVER\SHARE\Dell\forcepxe.exe" "\\%1\\C$\Users\Public\"

psexec \\%1 -u DOMAIN\USERNAME-p PASSWORD -h "C:\Users\Public\forcepxe.exe"

psshutdown.exe -r -t 60-c -m "This computer has been scheduled for a remote image. If you would like to delay this process, please select cancel" \\%1

pause

You will need to edit the xcopy path to point to your BIOS settings EXE. You will also need to specify credentials for the psexec line. The user specified needs to be an admin on the remote machine. You can now run this script from the run box. I named my batch file forcepxe.bat. By pressing WIN + R, I can simply type forcepxe REMOTECOMPUTERNAME to run this script.

Remotely PXE Network Boot a Computer

In the script output, you should see that the BIOS package successfully copied and executed on the remote machine. The machine will pause for 60 seconds to allow a user to cancel the reboot. After a minute, it will restart and boot off of the NIC! Pretty awesome right? One problem though – we are now stuck in an endless loop. The machine will install the OS and reboot back into a MDT task sequence. On the bright side, you don’t need deepfreeze anymore. 🙂

In our next post, we will edit our task sequence to prevent this endless loop by changing the boot sequence in Windows PE. Do you have another way of PXE booting a remote machine? What hurdles prevent you from getting to a Zero Touch image?