Inspired by Azure AD dynamic groups I decided to try to do similar on-prem. The matter in fact I am planning to deploy Baseline GPOs for one of my Customers and need security groups on OS (or build basis).
I thought somebody already did that, but quick Google search did not bring a usable solution. I found an article about “shadow groups” adding OU members to a security group, so it was pretty close.
finally I used that script to populate pre-created “INV-Windows 10 Education” and “INV-Windows Server 2022 Standard” groups:
|
$oses = (‘Windows 10 Education’,’Windows Server 2022 Standard’)
foreach ($os in $oses) {
$group=”Inv-$os”
Get-ADGroupMember -Identity $group | Get-ADComputer -Properties OperatingSystem -ea 0| ForEach-Object {if ($_.OperatingSystem -ne $os) {Remove-ADPrincipalGroupMembership -Identity $_ -MemberOf $group -Confirm:$false}}
Get-ADComputer -LDAPFilter “(!memberOf=$group)” -Properties OperatingSystem -ea 0 | ForEach-Object {if ($_.OperatingSystem -eq $os) {Add-ADPrincipalGroupMembership -Identity $_ -MemberOf $group}}
}
|
The script logging removes obsolete records from the security groups to be sure OS upgrade scenario will be handled properly (it is based on the information from AD, so we can only hope Windows workstation keeps it up to date.)
certainly, it can be even more granular to the build number using AD Attribute OperatingSystemVErsion; for example 10.0 (19044) will mean Windows 10 21H2.
As soon as the script is ready we can add it as a scheduled task to run every several hours.
IT Consultant Everyday Notes 