LTI/ZTI Scripting: Add computer to an AD Group

I’m currently doing some intense SCCM 2012 training so I’ve not been posting or in the forums recently. I’ve still been responding to emails though.

I received an email from a reader earlier this week. He wanted to add the current computer to an AD security group during his deployment.

It turns out that I wrote such a script a few weeks earlier. It’s in the repository here.

The script will add the current computer to an AD Group that is set in the customsettings.ini

The script is then run in a task sequence with the command line:

cscript.exe “%SCRIPTROOT%\ZTIAddMember.wsf

The code below is a sample of the customsettings.ini changes.

Properties=CustomProperty, ADGroup 

ADGroup = LDAP://CN=IT Computers,OU=Groups,DC=corp,DC=continuum,DC=com

The code is “As is”. No refunds!

About Andrew Barnes

A Scripting and Deployment Specialist.
This entry was posted in MDT 2010, MDT 2012, SCCM, Scripting and tagged , , , , . Bookmark the permalink.

24 Responses to LTI/ZTI Scripting: Add computer to an AD Group

  1. Mike says:

    Another less elegant alternative is to do add AD Groups via script as applications that you can check/uncheck as needed. The only catch with my ancient VB method (which is almost identical to what Andrew did above) is that you’d need to run the AD joining script under credentials that can do the work in AD, so it’s actually 2 scripts….a basic RunAs script, and the AD joining piece.

    Script 1:
    Script 2:

    The advantage is the ability to add groups the same way you add applications, if you require such granular control.


    • Matt says:

      Hi Mike,
      Do you have a step by step guide for this for me to follow?


      • Mike says:

        1. Create an app that points to the following:
        wscript “\\computer\[full path goes here]\RunAs.vbs”

        2. Edit that runas.vbs to point to the location of the JoinToGComputer.vbs (they can be in the same folder) and edit the credentials in that script to add an account that has the ability to add/edit items in AD and has NTFS Security for the folder the script is stored in.

        3. Youre done.


      • Matt says:

        Thanks Mike,
        I cannot get this to work. The runas piece appears to work but the machine does not add to the Security Group. Does this script allow adding to a security group?


      • Matt says:

        The script works great when logging in as a DA on the machine directly running the JoinTOGComputer.vbs…


      • Mike says:

        It sounds like the domain credentials that you’re passing to MDT overall might be different. Make sure any sort of credentials you’re using in the script AND in MDT have domain privileges and try it again.


      • Matt says:

        Think I am getting closer Mike, closest yet so many thanks so far.
        The application according to BDD.log successfully installs. (RunAs.vbs) in the MDT TS.
        When Windows completes the install there is a command prompt on the desktop with the username details awaiting the password.
        It appears if I add the password in manually then press enter the computer is added to the security group.
        I presumed this would do this?
        WScript.Sleep 1000
        WshShell.SendKeys “my_password_for_user_in_cmd_prompt”
        WScript.Sleep 1000
        WshShell.SendKeys “{ENTER}”

        Am I missing something?


      • Matt says:

        I have been reading up on WshShell.Sendkeys and appears there are problems with Windows 7, could this be the reason and if so are there alternatives?


    • Matt says:

      I have got this working now. Please feel free to delete these posts of mine Andrew as it has spread 🙂
      Mike – thanks once again!


      • Mike says:

        I’m glad you were able to get it working. It isn’t a perfect solution, but it does the job once you get it working.


  2. Reblogged this on and commented:
    Andrew Barnes once again posting another useful script. If you don’t read this guy regularly, you should. He’s up there with Brother Johan, a real genius.


  3. courtney says:

    I am trying to deploy .Net 4.0 via MDT but the install keeps hanging. Any Help?


    • That would be an application deployment issue. Try to get it to work in a run dialogue box in windows. If that works then it will work in the task sequence. Google .net silent install for switches etc.


    • Mike says:

      I personally ran into issues if the .NET 4.0 installer couldn’t get out to the internet, even though it was the fully downloaded redistributable. If it doesn’t matter much, consider trying this out with .NET 4.5 instead and you’ll skip a bunch of nasty patches that take forever to apply with 4.0

      If you must use 4.0, consider integrating it into the image manually.


  4. noblereach says:

    Do I place this right after “recover from domain” ?


  5. Hi Andrew,
    How would I get this to work if I have two security groups.
    Example: On x64 machines the computer must be added to a x64 security group and another x86 computer to a x86 security group?
    I am running two task sequences under the same deployment share.


  6. Matt says:

    This is not working for me? Can we have pictures of the entire process?


  7. Matt says:

    Does this work in 2012 U1 Andrew or are changes required?


  8. Matt says:

    Hi Andrew.
    Hi All,

    I am after some clarification to a problem I am experiencing with your script. It does not work in MDT2012 U1 (or it doesn’t for me anyway)

    Is there anything that has not been done below that should be considered?

    Appreciate any assistance.

    Process followed:

    I downloaded the ZTIAddMember.wsf and placed into the deployment share under scripts folder.

    I have created a new command line instance within a Task Sequence within MDT.

    I have called the instance Add to Group.

    The command cscript.exe “%SCRIPTROOT%\ZTIAddMember.wsf” has been added to ‘Command Line’ line

    The Start in: is left empty.

    I have enabled ‘Run this step under the following account’ with an account that has permissions to add to the security group.

    Next step: I have opened the customsettings.ini file for this task and added ADGroup next to properties i.e. Properties=MyCustomProperty, ADGroup

    Next step: I have opened the customsettings.ini file for this task and added..

    ADGroup = LDAP://CN=Windows 7 – Group,OU=Subscription Groups,DC=,DC=uk

    I then updated the deployment share.

    What would I expect? MDT to deploy Windows, Add to the domain (it does) then add the computer account to this security group (it does not).


    • Hi Matt,

      The above code is just a sample, not a complete working solution. For one thing, it has no error handling.

      Follow this page for an example on how to add error handling to the code:

      Also, let me know if you want your money back. 😉

      Liked by 1 person

      • Matt says:

        Haha thanks Andrew.
        At this point in time scripting makes very little sense to me.
        Is there a full working solution out there? Non scripters find the work by you and alike very helpful.
        I have searched for a number of solutions without success.
        Many thanks,


      • Sorry Matt, You would need to take the time to customise such a solution yourself or engage with a scripting resource within you own enterprise. Scripting is not that hard (if I can do it). There’s tons and tonnes of resources available out there.

        If you want to learn scripting then make a start following the guides here and if you get stuck then post a question in the scripting guys forum.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s