The script discussed in this article will help you add a domain user or group to the local administrators group on a given list of servers using PowerShell.

In my previous article, I showed you how to generate local admin group membership details and save the data in a CSV file for use in Excel. In this article, I will explain how to add a domain user or group to the local administrators group using PowerShell.


I tried to make this script as simple as possible for day-to-day use. This script takes three parameters:

  • ObjectType: Type of object that you want to add to the local administrators group. ObjectType should be either User or Group.
  • ObjectName: Name of the domain object that you want to add. ObjectName should be in the format DOMAINNAME\UserName or DOMAINNAME\GroupName.
  • ComputerName: List of computer names on which you want to perform the operation. When no computer account is specified, the script tries to execute the action against the local computer from which you are running the script.


The script relies on the [ADSI] WinNT provider to query the computer’s local administrators object. Once the object is queried, the script uses a method called Add() to add the given domain user or group to the local administrators group. The argument for this method is the ADSPath of the object we are trying to add. The script uses the domain name extracted from ObjectName to form this ADSPath. For a list of allowed ADSPath formats, refer to this MSDN link. Below is the code snippet that performs the addition operation:

$GroupObj = [ADSI]"WinNT://$Computer/Administrators"


The script shows its progress as it executes, as well as how many computers it completed, so it is easy for you to know its current stage of execution. The script also provides a good verbose output when the -Verbose parameter is used. The status of additions made to the local administrators group is saved in a CSV file named ResultsofLocalGroupAddition.CSV in the c:\temp folder. You can modify the value of the $ResultsFile variable if you want to choose a different location or file name for the output file.

The output contains three columns: ComputerName, Status, and Comments. Status indicates the result of the addition (“failed” or “successful”). If the computer is offline, the status will be set to “offline.” The Comments column shows the reason for failures. These are .NET exceptions, but they are clear enough to understand the reason for the failure.

Sample output

Sample output

PowerShell script

        Adds a user or group to local administrator group

        This scripts adds the given user or group to local administrators group on given list of servers.

    .Parameter ComputerName
        Computer Name(s) on which you want to add user/group to local administrators

	.Parameter ObjectType
		This parameter takes either of two values, User or Group. This parameter indicates the type of object
		you want to add to local administrators

	.Parameter ObjectName
		Name of the object (user or group) which you want to add to local administrators group. This should be in 
		Domain\UserName or Domain\GroupName format

        Set-LocalAdminGroupMembers.ps1 -ObjectType User -ObjectName "AD\TestUser1" -ComputerName srvmem1, srvmem2 

        Adds AD\TestUser1 user account to local administrators group on srvmem1 and srvmeme2

        Set-LocalAdminGroupMembers.ps1 -ObjectType Group -ObjectName "ADDomain\AllUsers" -ComputerName (Get-Content c:\servers.txt) 

		Adds AD\TestUser1 Group to local administrators group on servers listed in c:\servers.txt
		Author : Sitaram Pamarthi


	[ValidateScript({($_.split("\").count -eq 2)})]


#Name and location of the output file. Change this line if you want to alter the location
$ResultsFile = "c:\temp\ResultsofLocalGroupAddition.csv"
$ObjDomain = $ObjectName.Split("\")[0]
$ObjName = $ObjectName.Split("\")[1]
$ComputerCount = $ComputerName.Count
$count = 0
Add-Content -Path $ResultsFile -Value "ComputerName,Status,Comments"
foreach($Computer in $ComputerName) {
	$Comment = $null
	Write-Host ("{0}. Working on {1}" -f $Count, $Computer)
	if(Test-Connection -ComputerName $Computer -Count 1 -Quiet) {
		Write-Verbose "$Computer : Online"
		try {
			$GroupObj = [ADSI]"WinNT://$Computer/Administrators"
			$Status = "Success"
			$Comment = "Added $ObjectName $ObjectType to Local administrators group"
			Write-Verbose "Successfully added $ObjectName $ObjectType to $Computer"
		} catch {
			$Status = "Failed"
			$Comment = $_.toString().replace("`n","").replace("`r","")
			Write-Verbose "Failed to add $ObjectName $ObjectType to $Computer"

		Add-Content -Path $ResultsFile -Value ("{0},{1},{2}" -f $Computer,$Status,$Comment )	

	} else {
		Write-Warning "$Computer : Offline"
		Add-Content -Path $ResultsFile -Value ("{0},{1}" -f $Computer,"Offline")


Usage instructions

This script is simple to use. You can get examples by running the following command:

PS C:\> get-help C:\Scripts\Set-LocalAdminGroupMembers.ps1 -Examples

Example 1

PS C:\> Set-LocalAdminGroupMembers.ps1 -ObjectType User -ObjectName "AD\TestUser1" -ComputerName srvmem1, srvmem2

Adds the AD\TestUser1 user account to the local administrators group on srvmem1 and srvmeme2.

Example 2

PS C:\> Set-LocalAdminGroupMembers.ps1 -ObjectType Group -ObjectName "ADDomain\AllUsers" -ComputerName (Get-Content c:\servers.txt)

Adds the AD\TestUser1 group to the local administrators group on servers listed in c:\servers.txt.

I hope this helps. Comments and suggestions are welcome.

  1. Avatar
    Naveen 9 years ago

    Hi Sitaram,

    I am getting “”failed query member” error in status .csv column after running “.\Get-LocalGroupMembers.ps1 (Get-Content C:\temp\servers.txt)”

    D Naveen

  2. Avatar
    vikas chauhan 6 years ago

    HI SitaRam ,

    we are trying to add local user or group for local admin account with power shell . We have IQ services between our sailpoint and Active Directory . We are not getting that hows to apply this with IQ service . Please let us know about the required steps .

    Thanks in advance .


  3. Avatar
    KT 5 years ago

    This works great on most my servers, but has not worked on 2003 R2, any suggestions?

  4. Avatar
    Álvaro 5 years ago


    Windows 2k3 R2 is too old for newer PoSH versions. As far as, I know the last version for this OS was 3.0. and OS version couldn’t have the needed/updated PoSH modules,WMI and .Net version (4.5.2.) required for the job, so maybe you should have to upgrade OS,… if that is possible.

  5. Avatar
    Xylord 5 years ago

    Is there a way to reverse this script? Meaning, can I use it to remove users or groups from the local admins group on multiple servers? If so, what would the new syntax be?

  6. Avatar
    Jafar 2 years ago


    Is there anyway to many different ad domain user on different client machines?
    in one step?


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account