The script discussed in this article will help you add a domain user or group to the local administrators group on a given list of servers using PowerShell.

In my previous article, I showed you how to generate local admin group membership details and save the data in a CSV file for use in Excel. In this article, I will explain how to add a domain user or group to the local administrators group using PowerShell.

Input ^

I tried to make this script as simple as possible for day-to-day use. This script takes three parameters:

  • ObjectType: Type of object that you want to add to the local administrators group. ObjectType should be either User or Group.
  • ObjectName: Name of the domain object that you want to add. ObjectName should be in the format DOMAINNAME\UserName or DOMAINNAME\GroupName.
  • ComputerName: List of computer names on which you want to perform the operation. When no computer account is specified, the script tries to execute the action against the local computer from which you are running the script.

Execution ^

The script relies on the [ADSI] WinNT provider to query the computer’s local administrators object. Once the object is queried, the script uses a method called Add() to add the given domain user or group to the local administrators group. The argument for this method is the ADSPath of the object we are trying to add. The script uses the domain name extracted from ObjectName to form this ADSPath. For a list of allowed ADSPath formats, refer to this MSDN link. Below is the code snippet that performs the addition operation:

Output ^

The script shows its progress as it executes, as well as how many computers it completed, so it is easy for you to know its current stage of execution. The script also provides a good verbose output when the -Verbose parameter is used. The status of additions made to the local administrators group is saved in a CSV file named ResultsofLocalGroupAddition.CSV in the c:\temp folder. You can modify the value of the $ResultsFile variable if you want to choose a different location or file name for the output file.

The output contains three columns: ComputerName, Status, and Comments. Status indicates the result of the addition (“failed” or “successful”). If the computer is offline, the status will be set to “offline.” The Comments column shows the reason for failures. These are .NET exceptions, but they are clear enough to understand the reason for the failure.

Sample output

Sample output

PowerShell script ^

Usage instructions ^

This script is simple to use. You can get examples by running the following command:

Example 1

Adds the AD\TestUser1 user account to the local administrators group on srvmem1 and srvmeme2.

Example 2

Adds the AD\TestUser1 group to the local administrators group on servers listed in c:\servers.txt.

I hope this helps. Comments and suggestions are welcome.

Join the 4sysops PowerShell group!

Your question was not answered? Ask in the forum!

1+
Share
5 Comments
  1. Naveen 5 years ago

    Hi Sitaram,

    I am getting ""failed query member" error in status .csv column after running ".\Get-LocalGroupMembers.ps1 (Get-Content C:\temp\servers.txt)"

    Thanks,
    D Naveen

    1+

  2. vikas chauhan 2 years ago

    HI SitaRam ,

    we are trying to add local user or group for local admin account with power shell . We have IQ services between our sailpoint and Active Directory . We are not getting that hows to apply this with IQ service . Please let us know about the required steps .

    Thanks in advance .

    vikas

    1+

  3. KT 1 year ago

    This works great on most my servers, but has not worked on 2003 R2, any suggestions?

    1+

  4. Álvaro 1 year ago

    Hi,

    Windows 2k3 R2 is too old for newer PoSH versions. As far as, I know the last version for this OS was 3.0. and OS version couldn't have the needed/updated PoSH modules,WMI and .Net version (4.5.2.) required for the job, so maybe you should have to upgrade OS,... if that is possible.

    0

  5. Xylord 1 year ago

    Is there a way to reverse this script? Meaning, can I use it to remove users or groups from the local admins group on multiple servers? If so, what would the new syntax be?

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account