- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
By default, the local Administrators group on Windows machines only contains the Domain Admins group and the local Administrator account. This is not really a good configuration because it means that anyone who is allowed to manage a Windows client machine has all rights in the Active Directory domain. Thus, it is better to create a domain group for all local administrators, which you add to a local Administrators group. Then, you add all users who are allowed to manage your Windows desktops to this domain group.
The local Administrators group should be reserved for local admins, help desk personnel, etc. However, in some cases, you might want to temporarily grant an end user administrator privileges on his machine so he can install a driver or an application. I know this is not really best practice, but, in my experience, overworked admins often opt for this solution if an important user keeps nagging. This is where the procedures described below come in.
Computer Management
The easier way to add a user to the local Administrators group is to use the Computer Management app. You can connect to the remote computer via Remote Desktop, press SHIFT-R, and then enter compmgmt.msc. However, a faster way is to launch Computer Management on your own computer and establish a remote connection to the user’s computer. To do so, right-click the Computer Management icon, select Connect to another computer, and then enter the computer name of the machine you want to manage.
Computer Management - Connect to another computer
Note: You can also right-click the corresponding computer name and then select Manage in Active Directory Users and Computers.
If you are logged in to an Active Directory domain, and if you have sufficient privileges to manage the remote machine, the connection should be established without the need to provide credentials. You can then navigate to Local Users and Groups and add the user to the Administrators group.
Add user to the local Administrators group in Computer Management
A problem with this method is that it will only work if the Windows Firewall on the remote desktop is configured to allow remote administration. If not, you will get an error message that the computer cannot be connected.
Hence, if you want to manage remote computers with Computer Management, you have to enable the Group Policy setting Allow inbound remote administration exception for the Windows Firewall. You can find the policy in Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
Allow inbound remote administration exception
PsExec and net localgroup
The solution with PsExec from Microsoft’s free PsTools works with the same firewall settings. After you unzip the PsTools to the folder of your choice, you can add a user to the local Administrators group with the following command:
psexec \\ComputerName net localgroup Administrators "DomainName\UserName" /add
On my test machine, the computer name was “win81update,” my Active Directory domain was “domr2,” and the name of my user was “TestUser.”
Add user to the local Administrators group with PsExec and net localgroup
PowerShell
Of course, you can also use PowerShell to accomplish the task. The little script below demonstrates how you can add a user to the local Administrators group with PowerShell:
$DomainName = Read-Host "Domain name:" $ComputerName = Read-Host "Computer name:" $UserName = Read-Host "User name:" $AdminGroup = [ADSI]"WinNT://$ComputerName/Administrators,group" $User = [ADSI]"WinNT://$DomainName/$UserName,user" $AdminGroup.Add($User.Path)
The first three lines are just for prompting you to input the domain, computer, and user names. In line 4, the script creates the reference object for the local Administrators group of the remote computer using the [ADSI] type adapter. Line 5 creates the corresponding reference to the user, and the last line adds the user to the Administrators group.
For this method to work, we need another firewall setting as with the Computer Management solution. You have to enable the Group Policy Allow inbound file and printer sharing exception. The policy is also located in Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile.
Allow inbound file and printer sharing exception
Note that this policy is also sufficient for the PsExec method described above.
If you want to add a user to multiple computers, you should check out Jaap Brasser’s PowerShell script. The script can load a list of computers from a text file and allows you to work with parameters on the PowerShell console.
ManageEngine Desktop Central
Yet another option is to use a desktop management tool such as ManageEngine Desktop Central. Of course, if you just want to add one user to a group, you wouldn’t deploy such a tool. However, if you often have similar remote management tasks to do—in particular, if you have to automate such tasks for many computers—you are better off with a GUI tool than with command-line tools or PowerShell; you can automate the task for any number of machines (including those that are currently offline) with just a few clicks and without the need to write a longwinded script. You will hardly find a remote management task that you can’t automate with Desktop Central.
ManageEngine Desktop Central
Desktop Central requires you to install an agent on the remote machine, which you can easily do from the Desktop Central console. Once the agent is running on the remote machine, you have to add a Group Management Configuration. Under Step 2 - Define Configuration, you click Modify Group and then enter Administrators in the Group Name field. Under Add Members, you select Domain User and then enter the user name. Finally, in Step 3 – Define Target, you add the computer name.
Add user to the local Administrators group with Desktop Central
You also have to configure Windows Firewall so Desktop Central can work properly. You can find more information about the ports you have to open here.
The downside of using a desktop management tool is, of course, that you have to buy it. Desktop Central is free for 25 devices.
How to remove a user from the Administrators group
If you only want to assign admin rights to a user temporarily, you might want to set yourself a reminder to remove the user from the group.
Removing the user with Computer Management or Desktop Central shouldn’t be a problem if you were able to add the user to the Administrators group.
To remove the user with PsExec, you just have to replace “add” in the above command with “delete,” like this:
psexec \\ComputerName net localgroup Administrators "DomainName\UserName" /delete
And, in the PowerShell script, replace the last line with this one:
$AdminGroup.Remove($User.Path)
One could also use GPO and Restricted Groups policy setting to add groups to local administrators remotely and automatically. Very useful for managing local group membership.
Milan, thanks for the hint. Group Policy is certainly a good option, but I think you can’t use it to add individual users to the Administrators group
Yes, but it is better practice to apply security settings to groups rather than individual user accounts 🙂
That’s certainly true. The instructions in the post are mostly for the case where you temporarily want to grant admin rights to an end user on his or her machine only.
To make someone a local admin on just one machine, I just have to add this computer’s name to the user’s Description in AD.
http://serverfault.com/questions/79614/group-policy-administrator-rights-for-specific-users-on-specific-computers/685331#685331
Thanks for listing multiple options. I could use PsExec flawlessly. However; I have a little different requirement. I need to add multiple users to one computer or one user to multiple computers. Does the command have an option for this? I am just about to write a batch file for this (calling the command multiple times in a loop of machine names) but thought I should check with you once.
Since Microsoft disabled the GPO for setting local users in the Local Security Policy, this has proven a bit more difficult. I have had great success with powershell, but this only works for an existing local user or an existing domain user.
$ComputerName = Get-ADComputer -LDAPFilter “(Name=workstation1)” | foreach {$_.name}
invoke-command { net localgroup “Administrators” Domain\LocalAdmin /add} -computername $ComputerName
Are there any ways that I can create a new local user with this or something similar? thanks!
Just use Psexec to create a profile remotelly
psexec \\<remote_computer_ -d -u <domain>\<username> -p <password> cmd.exe /c echo.
Michael, great article! There is one more option available, using the winrs remote shell:
winrs -r:win81update net localgroup administrators “domr2\TestUser” /add
If ssl certificates configured for https, can go the more secure way:
winrs -r:win81update -usessl net localgroup administrators “domr2\TestUser” /add
Cheers
Thanks for the tip. But I guess there is more than one additional option. 😉
Your PC needs to restart.
Please hold down the power button.
Error code: 0x000000C4
Parameters:
0x0000000000000091
0x000000000000000F
0xFFFFF801E5962A80
0x0000000000000000
it is not going to fix with command:
C:\>cd Program Files\Oracle\VirtualBox\VBoxManage.exe
The directory name is invalid.
I am installing windows server 2012r2 in vertualbox.
@shashi,
Your problem seem not to be related to the topic of this post.
You would better create a new topic in the IT Administration forum.
If I’m not wrong, MS has just added a module to its latest Powershell v5 iteration which has native cmdlets for managing local user accounts. Since not all of us work with the “latest and greatest” Windows 10 version in the enterprise which contains these new “goodies”, the legacy methods presented here are still relevant 🙂 The majority of my users are still on Win 7 btw. due to legacy line-of-business compatibility issues
@WinFan,
The module which handles local accounts is not related to the operating system.
You only need Powershell 5.1, whatever operating system you have.
I have tested this module successfully on Windows 7.
@Luc Fullenwarth
Thanks for the hint! Was under the impression downward-OSes do not support this module.
@WinFan,
Sometimes they does, and sometimes not.
For example, even if you install Powershell 5.1 on Windows 2008 R2, you don’t have the Get-ScheduledTask cmdlet.
Although the list is not exhaustive, you can have a look at this wiki post.
https://4sysops.com/wiki/differences-between-powershell-versions/
However there is a global demand to have a clear documentation about which cmdlet is compatible with which Powershell version.
https://github.com/PowerShell/PowerShell-Docs/issues/1105
You can star the GitHub topic if it’s important for you 😉
Is it safe to do the powershell method? Will it exposed my domain administrator password to domain member server? I’m concerned about attack like mimikatz
Interestingly, I couldn’t find information what kind encryption the ADSI WinNT Provider uses nowadays, but I don’t think that administrator passwords are sent in clear text. Anyway, I would no longer use ADSI WinNT to add a user remotely to a group with PowerShell. I think PowerShell remoting is now the better option.
If you only want to add a single user to the administrators group, you can establish an interactive remote session:
If you want to do this in a script for multiple computers, you can use Invoke-Command:
Invoke-Command -ComputerName <ComputerName> -ScriptBlock {Add-LocalGroupMember -Group "Administrators" -Member <UserName>}Just make sure that you enabled remoting.
Using your ADSI connection however allows you to bypass WinRM if its not enabled. You need WinRM enbled to use Enter-PSsession.
Either way, great script and it was what i needed in a pinch.
This script does not work. I am getting the message that an invalid path is used.
Perhaps it is not working in more complicated environments where servers are in different domains than the accounts are?
Server name is used either with or without FQDN and from the source system the destination remote server can be reached. Also it is not clear in which way a domain should be given, @DOMAIN, short DOMAIN, detailed DOMAIN?
Would be great to get it working since I need to setup on multiple remote servers the local groups.
If I remember it right, the domain name can be a NETBIOS name or a DNS name. You can find examples here. I never tried the script across domains. However, the fact that ADSI WinNT accepts domain names indicates that it works or at least that it worked before. Maybe you have an authentication problem? Can you add users with the Computer Management tool?
If PowerShell remoting is enabled in your environment, you consider this option. See comment above.
Michael Pietroforte
Your method only works if the remote server is on the higher PowerShell version which has the CMDLET Add-LocalGroupMember.
If you try it with a Windows 2008 R2 SP1 server for instance, the INVOKE Command will just tell you that the CMDLET is not a known one.
That’s correct. You need PowerShell 5.1 for the local user and group cmdlets. I recommend updating your systems to 5.1. You can find the download links here.
Thanks Michael for the scripts. It worked as described for me, I’m able to add/remove user to a user group in remote machine.
Question:
After adding a user to administrator group, it is not getting affected immediately on the user’s active session. He has to log off and login to get admin rights. Is it possible achieve this without user re-login?
As far as I know, this is not possible.
Thanks Michael for the scripts!
I would still have a question because I am unfortunately at the despair.
Is it possible with Powershell script to add one user in two or more groups at the same time?
Do you mean to local groups or AD groups?
I meant locale groups on remote computers.
Best regards
If you have the quest cmdlets you can do a simultaneous/parallel add for the user.
For the Powershell option, the last line, $AdminGroup.Add($User.Path), gives an exception message:
Exception calling "Add" with "1" argument(s): "An invalid directory pathname was passed"
At \\tsclient\D\Password Email\Remote command.ps1:6 char:1
+ $groupObj.Add($userObj.Path)
What gives? Can't figure out the error.