Add AD User/Group to Local Administrator Group

The script can use either a plain text file containing a list of computername or a computer name as input and will add the trustee (AD user or group) as an administrator to the specified computer(s). The script will report back errors if the account is already a member.

 
 
 
 
 
4.2 Star
(63)
64,743 times
Add to favorites
11/12/2015
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • Using the variable %hostname%
    2 Posts | Last post January 15, 2016
    • Hi, I'm trying to achieve the following and I'm hoping your script will be a good place to start.
      
      So in AD we create 2 new groups per server, like SQL01-A and SQL01-R the -A relates to local admin and -R to local RDP access. These groups are then added manually to the server. Then if we have temp user/contractors etc etc start that needs access to server X, Y we can add them to these groups as need in AD and that grants them the correct rights locally. It also great to have this central visible view of rights in the IT estate.
      
      So the question is can this be automated using your script. I'm thinking it could be used alongside SCCM baselines. For example, the baseline would checks if a group exists locally on a server, named %hostname%-A and -R and if they don't it would create them in AD and then add them to the server. 
    • Creating the groups in AD is not possible from this script, but you can use the hostname of the server as part of the group name, for example you could do something along these lines:
      
      .\Set-ADAccountasLocalAdministrator.ps1.ps1 -Computer Server01 -Trustee "$($env:computername)-A"
  • Warning: Exception calling "add" with "1" argument(s): "Access is denied."
    2 Posts | Last post November 23, 2015
    • I'm running your script as a Domain Admin, plus as a Local Admin on my laptop to test.  I'm getting this error message and I'm not able to figure out why.  Hopefully, you'll have a solution for me.
    • Can you specify the exact command you are executing in order to get this error? Also please mention which operating system and PowerShell version you are using?
      
      This error should normally only occur when you are running as a non-administrative user, can you verify that you are running in an 'elevated' console, a PowerShell console started with 'Run as Administrator'
  • How to check whether an AD Group is a member of Local Administrator on List of servers
    2 Posts | Last post November 12, 2015
    • Hello Sir
      
      I want to check whether an AD Group "Pz\Pq server Admins" is a part of Local Administrator on list of servers.
    • That is a good question, currently I only have a script only that sets users in the local administrative group. It would be a nice addition to also write a script that also gathers this information. I will take a look if I can find some time to write this.
      
      For now you could use something along these lines:
      'server1','server2' | ForEach-Object {
          $Computer = $_
          ([ADSI]("WinNT://$Computer/Administrators,group")).psbase.invoke(“Members”) | ForEach-Object {
              New-Object -TypeName PSCustomObject -Property @{
                  Computer = $Computer
                  AdminUser = $_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null)
              }
          }
      }
  • This script works o Windows server 2012R2
    2 Posts | Last post October 14, 2015
    • Just to let you know.
    • Excellent thank you for your feedback!. 
      
      I have just updated this project and also tested it on Windows 10 and 8.
  • "The network path was not found." error
    2 Posts | Last post September 28, 2015
    • Just tried it and did not work for me. What could be the issue?
      
      PS C:\TEMP> .\Set-ADAccountasLocalAdministrator.ps1 -Computer 'UKPC001' -Trustee Dom\myuser
      UKPC001
      Adding 'myuser' to Administrators group on 'UKPC001'
      WARNING: The following exception occurred while retrieving member "add": "The network path was not found.
      "
      
    • Hello Ilkin, that error message seems to indicate a connectivity issue. This could be caused by the machine not existing, firewall blocking remote management or other network related issues.
      
      What you could do to resolve this is to check if the machine responds to ping, if that works you could try another form of remote management. For example connecting to the machine using the computer management console to establish if the required services are running and available on the system.
  • Exercise in error checking
    2 Posts | Last post June 21, 2015
    • Excellent exercise in error checking. Never heard of 'write-warning' or 'test-path' before. Thank you. But this illustrates perfectly what's required to allow a non-PS person to use a PS script; entire thing really is to execute one line of code: ([ADSI]"WinNT://$_/Administrators,group").add($Trustee). [Reminds me of the corporate change control process: a weeks worth of approvals for 60 seconds of 'change'.]
    • Indeed, many of the scripts I uploaded here can be executed as one-liners as well. I write a function or script to facilitate error handling, verbose output and pipeline functionality. Add in some comment based help functionality and a single line of code turns into anywhere in between a couple of dozens to several hundred lines of code.
      
      
  • Local Administrators Group Name for French installation
    4 Posts | Last post June 11, 2015
    • Thank's for your script, but if local administrators group is named "administrators" ir's work but if it's name "Administrateurs" for french it doesn't work.
      Could it be possible that your check the name of the local administrators group.
      I think others language have the same problems.
    • Thanks for letting me know, this is indeed dependent on system localizations. I will look into this and update this in the next version of this script.
    • Jaap,
      
      Thank's for your prompt answer.
      I'm waiting the futur release.
      I don't understand why people don't think International to developp script (Me too).
      I think that developping a Function International will be the best.
    • I don't know how it is for other but for me when I write a script I usually start from what works for me personally. Testing for each regional setting is something that would consume a lot of time so I wasn't actually aware that this would not work.
      
      That is why I am happy you pointed it out, because now I can fix it :) So thanks again for pointing this out.
  • How could i implement the out-file parameter in the script?
    2 Posts | Last post May 28, 2015
    • Hello Jaap,
      what is the syntax for piping the output to a file with powershell?
      
      many thanks
      richard
    • Currently that is not support, what kind of output would be useful for you?
  • runas or like add-admin.ps1 -CurrentAdmin capabilities?
    2 Posts | Last post May 28, 2015
    • I am curious if it's possible to run this as a specific user much like the add-admin.ps1 script on the Technet does?  I have tried and failed to add that functionality to this utility but I'm afraid I'm just not very versed in Powershell...
    • Hello Dewplex,
      
      I am unsure what you mean, do you mean running this script with a different set of credentials? If that is what you want you could run this script using a PowerShell session, or by using Invoke-Command.
  • unexpected token error
    1 Posts | Last post November 06, 2014
    • Hello Jaap,
      
      I am trying to run the script but got this error:
      
      PS C:\Users\aarwf\documents> ".\Set-ADAccountasLocalAdministrator.ps1" -Computer CNc.nih.gov -Trustee NIH\irtsecurefusion
      At line:1 char:43
      + ".\Set-ADAccountasLocalAdministrator.ps1" -Computer CNc.nih.gov -Trustee NIH\irt ...
      +                                           ~~~~~~~~~
      Unexpected token '-Computer' in expression or statement.
      At line:1 char:53
      + ".\Set-ADAccountasLocalAdministrator.ps1" -Computer CNc.nih.gov -Trustee NIH\irt ...
      +                                                     ~~~~~~~~~~~
      Unexpected token 'CNc.nih.gov' in expression or statement.
          + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
          + FullyQualifiedErrorId : UnexpectedToken
      
      Can you please help?
      
      thanks
      
      Ron
21 - 30 of 50 Items