Add AD User/Group to Local Administrator Group

The script can use either a plain text file containing a list of computername or a computer name as input and will add the trustee (AD user or group) as an administrator to the specified computer(s). The script will report back errors if the account is already a member.

 
 
 
 
 
4.2 Star
(63)
65,865 times
Add to favorites
11/12/2015
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Single line command to remove AD group from local admin
    1 Posts | Last post November 07, 2016
    • Dear Japp,
      
      I would required your help.. I need to remove one AD group from the local administrator of a server. I need a power shell command for that. I tried the below. But didn't worked :-( 
      
      " .\Set-ADAccountasLocalAdministrator.ps1 -Computer 10.75.138.83 -Trustee E3027081 "
      
      Can you please help me on this regards.
      
      Thanks in advance.
      
      Regards,
      
      Naveen M
  • AutoSelect Computer Name & Hard Code group
    2 Posts | Last post September 07, 2016
    • Jaap - this script is perfect. Just wanted to ask how I would go about hard coding the AD Group and auto-input for the computer name as the device that I am running this on. 
      
      Looking to apply this script as part of an imaging process step. 
      
      Thank you,
      Jeremiah
    • Hello Jeremiah,
      
      If you want to add the same user group to any computer that is deployed you could run the script as such:
      
      .\Set-ADAccountasLocalAdministrator.ps1.ps1 -Computer $env:computername -Trustee Contoso\JaapBrasser
      
      Note that this would only work if the computer is already domain joined. If you would like to hardcode this into the script you could remove line 47-50 and change line 52 and 54 to this:
              $Computer = $env:computername,
              $Trustee = 'contoso\jaapbrassser'
      
      
      Let me know how that works for you.
      
      
      Regards,
      
      Jaap Brasser
      
  • "The network path was not found." Need help troubleshooting
    4 Posts | Last post August 23, 2016
    • Hello Mr. Brasser,
      
      I'm getting the connectivity issue (WARNING: The following exception occurred while retrieving member "add": "The network path was not found.") but I can't seem to hone in on the cause. I've tried disabling the firewall as well as enabling PS remoting on both machines. I can also ping the hostname and IP without issue. Could I use the IP instead of the hostname in your script? Your script works when I run it locally using my hostname as the computer name, but when I try it on a different machine on the domain it throws that error.
      
      I am running a script test.ps1 (which is Set-ADAccountasLocalAdministrator.ps1) from a different script. But basically, I have this line where I need the user to be made localadmin on the computer. $PSDir is the parent directory of test.ps1 and hostname and username are global vars.
      
      Invoke-Expression "$PSDir\test.ps1 -Computer $Global:hn -Trustee $Global:user"
      
      Any ideas you have would be incredibly helpful!
      
      Thank you,
      Dom
    • Hello Don,
      
      This error seems to be a connectivity issue, so for the other computer can you verify the following:
      - Is it on the same subnet
      - Is there a firewall on active on either system that might be blocking this traffic
      - Can you ping the system
      - Can you run any other cmdlet against this system (for example run: Get-Service -ComputerName YourOtherComputer)
      
      Let me know the results and perhaps we can pinpoint what the problem is exactly.
      
      
      Regards,
      
      Jaap Brasser
    • Hello Mr. Brasser,
      
      1. Is it on the same subnet - Yes on the same subnet.
      2. Is there a firewall on active on either system that might be blocking this traffic - YES but it is off for testing.
      3. Can you ping the system - Yes I can ping the system! (I can also remote into the system via RDC)
      4. Can you run any other cmdlet against this system (for example run: Get-Service -ComputerName YourOtherComputer) - No when I run this I get this:
      
      Get-Service : Cannot open Service Control Manager on computer 'machine2'.
      This operation might require other privileges.
      At C:\Users\******\Desktop\makeAdminv3.ps1:88 char:1
      + Get-Service -ComputerName $Global:hn
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperatio
         nException
          + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Power
         Shell.Commands.GetServiceCommand
      
      Thank you,
      Dom
      
    • This seems to be a privileges issue. So what is the relation between the system that you are running this on and which you want to add the administrative user on. Are they both members of the same domain? If so make sure you use an account that has administrative privileges on the target machine to execute this script to ensure that it works.
      
      
      Regards,
      
      Jaap Brasser
  • How to add multiple users ?
    2 Posts | Last post August 22, 2016
    • The scripts works excellently for me. But how to add multiple users to this?
    • You could run through a loop with the script, for example:
      
      'user1','user2','user3' | ForEach-Object {.\Set-ADAccountasLocalAdministrator.ps1.ps1 -Computer Server01 -Trustee $_}
      
      Let me know how that works out for you!
  • Using same script to remove user
    4 Posts | Last post August 15, 2016
    • Excellent script works great, how can I use the same script to remove the user? I was trying to make some changes but had no success.
      
      Many Thanks
    • Hello Jawano,
      
      I have uploaded an updated version of this script that also allows for deletions. Have a look at the following script:
      https://gallery.technet.microsoft.com/Remove-AD-UserGroup-to-f6e9dbfb
    • Many Thanks ...
    • No problem jawano, let me know if you have any feedback on the new script.
      
      
      Regards,
      
      Jaap Brasser
  • Can this be amended to add users to Remote Desktop Users group?
    2 Posts | Last post July 28, 2016
    • Can this script be amended to add users to the remote desktop users group? 
    • Sure, I created an updated version of this script, Add-ADaccounttoRDPUser:
      https://gallery.technet.microsoft.com/scriptcenter/Add-AD-UserGroup-to-RDP-c17b24a4
      
      Let me know how that works for you and feel free to leave comments on it over there.
      
      
      Regards,
      
      Jaap Brasser
  • Not recognized as a cmdlet, function, etc...
    3 Posts | Last post July 19, 2016
    • I've tried running this several times (trying to add an AD group to the local admin group), but get the following error:
      
      Set-ADAccountasLocalAdministrator.ps1 -InputFile "C:\camservers.txt" -Trustee "mydomain\Camera Server Admins"
      Set-ADAccountasLocalAdministrator.ps1 : The term 'Set-ADAccountasLocalAdministrator.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path 
      is correct and try again.
      At line:1 char:1
      + Set-ADAccountasLocalAdministrator.ps1 -InputFile "C:\camservers.txt"  ...
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : ObjectNotFound: (Set-ADAccountasLocalAdministrator.ps1:String) [], CommandNotFoundException
          + FullyQualifiedErrorId : CommandNotFoundException
       
      
      Any assistance is appreciated!
    • Never mind, I answered my own question - I didn't define it in my current working directory.
      
      Thanks!
    • Excellent, thanks for checking back J. Ellington and I hope you enjoy using the script!
      
      Regards,
      
      Jaap Brasser
  • space in domain name
    3 Posts | Last post July 13, 2016
    • Hello,
      
      What about if we have a space in domain group name ?
      
      Set-ADAccountasLocalAdministrator.ps1 : A positional parameter cannot be found that a
      ccepts argument 'XXX'.
      At line:1 char:40
      + .\Set-ADAccountasLocalAdministrator.ps1 <<<<  -Computer YYY -Trustee AD\Domain-DL XXX
          + CategoryInfo          : InvalidArgument: (:) [Set-ADAccountasLocalAdministrator.ps1], ParameterBindingException
          + FullyQualifiedErrorId : PositionalParameterNotFound,Set-ADAccountasLocalAdministrator.ps1
      
      Regards
      
    • Sorry,
      
      there was no question :) 
      
      "AD\Domain-DL XXX"
      
    • No problem, indeed in PowerShell if you have spaces in in an argument you wish to pass into a parameter you have a number of options:
      
      .\Set-ADAccountasLocalAdministrator.ps1 -Computer YYY -Trustee "AD\Domain-DL XXX"
      .\Set-ADAccountasLocalAdministrator.ps1 -Computer YYY -Trustee 'AD\Domain-DL XXX'
      .\Set-ADAccountasLocalAdministrator.ps1 -Computer YYY -Trustee AD\Domain-DL` XXX
      $Trustee='AD\Domain-DL XXX';.\Set-ADAccountasLocalAdministrator.ps1 -Computer YYY -Trustee $Trustee
      
      
  • Throws error at Line 92 - Missing parenthesis
    4 Posts | Last post March 15, 2016
    • Hi Jaap,
      
      I tried different options and all of them throw this below error:
      
      PS H:\PowershellScripts> .\Set-ADAccountasLocalAdministrator.ps1 -InputFile h:\PowershellScripts\servers.txt -Trustee mdynycmas\ravik
      Missing closing ')' in expression.
      At H:\PowershellScripts\Set-ADAccountasLocalAdministrator.ps1:92 char:1
      +  <<<<
          + CategoryInfo          : ParserError: (CloseParenToken:TokenId) [], ParseException
          + FullyQualifiedErrorId : MissingEndParenthesisInExpression
      
      PS H:\PowershellScripts> .\Set-ADAccountasLocalAdministrator.ps1 -Computer=ptc-wbapmdb101 -Trustee mdynycmas\ravik
      Missing closing ')' in expression.
      At H:\PowershellScripts\Set-ADAccountasLocalAdministrator.ps1:92 char:1
      +  <<<<
          + CategoryInfo          : ParserError: (CloseParenToken:TokenId) [], ParseException
          + FullyQualifiedErrorId : MissingEndParenthesisInExpression
      
      Could you please see why this would occur? 
      
      Thank you!
    • Hello Balu S,
      
      I have tried to reproduce your error but I can't get the error using the parameters you describe. I have ran this on different versions of PowerShell and different versions of Windows but I could not reproduce the error. Can you ensure you download the latest version of the script and run the command again?
      
      Also could you copy paste the output of the following commands on here? These are the two commands:
      $PSVersionTable
      Get-Host
    • Hello Jaap,
      
      My fault...when I downloaded it the first time, I copied the text and pasted it in my text editor and that changed the encoding, resulting in a non-working file. The text editor showed no differences in text compare, but showed differences in hex compare. Today, I downloaded it and saved it as is, and it works fine! Thank you very much for this extremely handy script!
      
      Two requests:
      
      a) Could you please tweak the script to allow a new parameter with the Local Group name, so that the user can input which group user is to be added? We frequently need to add users to the "Remote Desktop Users" group. 
      
      b) Could you please create a new script to REMOVE users from any group?
      
      Thanks a ton for the help
      
      Balu
      
    • Works Like a Bomb. Thanks
  • Spaces for the Trustee Name
    4 Posts | Last post January 20, 2016
    • Hi, 
      I am going to use this to add a group to a local admin group. However, the group name has spaces in it. How is this handled? Your answer will help me with future scripting too ;) ..
      Thanks!
    • You can put quotation marks around it, for example:
      
      .\Set-ADAccountasLocalAdministrator.ps1.ps1 -Computer Server01 -Trustee "Your Group"
      
      or:
      
      .\Set-ADAccountasLocalAdministrator.ps1.ps1 -Computer Server01 -Trustee 'Your Group'
      
      Both will achieve the same result.
    • Hi,
      I am actually using your script in a different way - I will be querying a user for the group name, and them putting it in quotes will not work for me. Having said that, is there a way to escape or double quote, or something, if I will not be getting the group name in the double quotes format? 
      Thanks! And thanks for your script!
    • Hello bvi1998,
      
      Can you show me how you are getting the data, it can vary based on how you are calling this script. If you can show me the code you are currently working with, I can probably show you how to amend this.
      
      Regards,
      
      Jaap
11 - 20 of 50 Items