read
Sometime’s it makes sense to remove the “Apply Group Policy” right from the everyone group and slowly add users from specific groups as a way to roll out the change.
For this example, i want to add all the computers for all folk from my bacon-tasters group, i’d also like to not include stale machines:
$GP_NAME = "Workstations - Company Wallpaper"
$group_members = Get-ADGroupMember "CN=bacon-tasters,OU=Standard Groups,DC=chadduffey,DC=local"
$DaysInactive = 60
$time = (Get-Date).Adddays(-($DaysInactive))
$windows_computers = Get-ADComputer -filter {((Name -like "*-WIN10") -or (Name -like "*-WINVM")) -and (LastLogonTimeStamp -gt $time)} -Properties WhenChanged
foreach ($user in $group_members)
{
foreach ($computer in $windows_computers)
{
if ($computer.Name.split('-')[0] -eq $user.SamAccountName)
{
write-host "Adding: " $computer.Name
Set-GPPermission -Name $GP_NAME -TargetName $computer.Name -TargetType Computer -PermissionLevel GPOApply
}
}
}
