Create Device Collections From Active Directory OUs with PowerShell

I was setting up a Config Manager environment for a client who is situated in roughly 40 locations. Each location had an Organizational Unit (OU) in Active Directory (AD) and within that OU was… even more OUs! This was understandable as in each location there were many different rooms for many different purposes and so these were organised via separate OUs.

Baring in mind 40 locations had many OUs and I needed to create a device collection which houses all corresponding devices for each of these, I had to turn to my good friend PowerShell as there is no chance I was creating 400+ device collections manually! As a result I create this script.

Although fairly well documented within the script (If i do say so myself), I will run you through it in a bit more detail. Below you can see an example usage of this script.

For example, let’s pretend we have an AD OU structure a little something like this:

JACKO.local > JACKO > Internal IT > Workstations

Under workstations, imagine we had the following OUs

  • Meeting Room 1
  • Meeting Room 2
  • Office Ground
  • Office Second
  • Main Office
  • IT Office

Now picture each of these OUs having multiple devices and we need to create a device collection for each of them and add the devices within them to that collection. If there are only 6 like above then it’s an easy job and you might consider doing this manually at first, however if there are 50… you might not.

This is where the script comes into play, it is simple to use although it may look daunting at first. There are a couple of question you should ask first:

  1. What do I want the limiting collection of all of these new collections to be?
  2. Are there any OUs I do NOT want to create a collection for?
  3. Do I want to only add the machines that are currently in the OUs to the collection or do I want to also add any devices that are added in the future to the OU?
  4. Do I want these device collections to be in a folder within Config Manager?
  5. Finally, do I want to identify these collections with a tag?

Question #1 corresponds to the “LimitingCollection” parameter, simply pass the name of the desired limiting collection.

Question #2 corresponds to the “ExcludedOUs” parameter, pass a comma-separated list of any OU names you do NOT wish to make a collection for.

Question #3 corresponds to the “MembershipRule” parameter, pass “Query” if you want to add all current AND future devices. Pass “Direct” if you only want to add current devices, but avoid adding any new devices added to the AD OU.

Question #4 is based on the “CollectionFolder” param, just pass the path of that folder. E.G. “Operational” or “Operational\Workstations”

Question #5 related to the “Tag” param. By default all these collections will be created with a name like:

OU Based | $CollectionName

as we believe that you should differentiate your collections and label the ones built from OUs. If you use a tag then the name will change slightly to:

OU Based | $Tag | $CollectionName

Tags are useful for separate sites and also avoid duplicate collection names across sites.

Last but not least, the most important parameter is the “OUSearchBase” param which is going to be the name of the OU which parents all of the other OUs you wish to make device collections based off. In our example we would have to the value

“OU=Workstations,OU=Internal IT,OU=JACKO,DC=JACKO,DC=LOCAL”

This would loop all OUs that are children of “Workstations” and create a device collection for each and automate all that hard work so you can sit back, relax, and have a coffee.

Leave a Reply

Your email address will not be published. Required fields are marked *