Add AD User/Group to Local Administrator Group

Hi Jaap,

I tried different options and all of them throw this below error:

PS H:\PowershellScripts> .\Set-ADAccountasLocalAdministrator.ps1 -InputFile h:\PowershellScripts\servers.txt -Trustee mdynycmas\ravik
Missing closing ')' in expression.
At H:\PowershellScripts\Set-ADAccountasLocalAdministrator.ps1:92 char:1
+  <<<<
    + CategoryInfo          : ParserError: (CloseParenToken:TokenId) [], ParseException
    + FullyQualifiedErrorId : MissingEndParenthesisInExpression

PS H:\PowershellScripts> .\Set-ADAccountasLocalAdministrator.ps1 -Computer=ptc-wbapmdb101 -Trustee mdynycmas\ravik
Missing closing ')' in expression.
At H:\PowershellScripts\Set-ADAccountasLocalAdministrator.ps1:92 char:1
+  <<<<
    + CategoryInfo          : ParserError: (CloseParenToken:TokenId) [], ParseException
    + FullyQualifiedErrorId : MissingEndParenthesisInExpression

Could you please see why this would occur? 

Thank you!

Hello Balu S,

I have tried to reproduce your error but I can't get the error using the parameters you describe. I have ran this on different versions of PowerShell and different versions of Windows but I could not reproduce the error. Can you ensure you download the latest version of the script and run the command again?

Also could you copy paste the output of the following commands on here? These are the two commands:
$PSVersionTable
Get-Host

Hello Jaap,

My fault...when I downloaded it the first time, I copied the text and pasted it in my text editor and that changed the encoding, resulting in a non-working file. The text editor showed no differences in text compare, but showed differences in hex compare. Today, I downloaded it and saved it as is, and it works fine! Thank you very much for this extremely handy script!

Two requests:

a) Could you please tweak the script to allow a new parameter with the Local Group name, so that the user can input which group user is to be added? We frequently need to add users to the "Remote Desktop Users" group. 

b) Could you please create a new script to REMOVE users from any group?

Thanks a ton for the help

Balu

Works Like a Bomb. Thanks

Hi, 
I am going to use this to add a group to a local admin group. However, the group name has spaces in it. How is this handled? Your answer will help me with future scripting too ;) ..
Thanks!

You can put quotation marks around it, for example:

.\Set-ADAccountasLocalAdministrator.ps1.ps1 -Computer Server01 -Trustee "Your Group"

or:

.\Set-ADAccountasLocalAdministrator.ps1.ps1 -Computer Server01 -Trustee 'Your Group'

Both will achieve the same result.

Hi,
I am actually using your script in a different way - I will be querying a user for the group name, and them putting it in quotes will not work for me. Having said that, is there a way to escape or double quote, or something, if I will not be getting the group name in the double quotes format? 
Thanks! And thanks for your script!

Hello bvi1998,

Can you show me how you are getting the data, it can vary based on how you are calling this script. If you can show me the code you are currently working with, I can probably show you how to amend this.

Regards,

Jaap

Hi, I'm trying to achieve the following and I'm hoping your script will be a good place to start.

So in AD we create 2 new groups per server, like SQL01-A and SQL01-R the -A relates to local admin and -R to local RDP access. These groups are then added manually to the server. Then if we have temp user/contractors etc etc start that needs access to server X, Y we can add them to these groups as need in AD and that grants them the correct rights locally. It also great to have this central visible view of rights in the IT estate.

So the question is can this be automated using your script. I'm thinking it could be used alongside SCCM baselines. For example, the baseline would checks if a group exists locally on a server, named %hostname%-A and -R and if they don't it would create them in AD and then add them to the server. 

Creating the groups in AD is not possible from this script, but you can use the hostname of the server as part of the group name, for example you could do something along these lines:

.\Set-ADAccountasLocalAdministrator.ps1.ps1 -Computer Server01 -Trustee "$($env:computername)-A"

I'm running your script as a Domain Admin, plus as a Local Admin on my laptop to test.  I'm getting this error message and I'm not able to figure out why.  Hopefully, you'll have a solution for me.

Can you specify the exact command you are executing in order to get this error? Also please mention which operating system and PowerShell version you are using?

This error should normally only occur when you are running as a non-administrative user, can you verify that you are running in an 'elevated' console, a PowerShell console started with 'Run as Administrator'

Hello Sir

I want to check whether an AD Group "Pz\Pq server Admins" is a part of Local Administrator on list of servers.

That is a good question, currently I only have a script only that sets users in the local administrative group. It would be a nice addition to also write a script that also gathers this information. I will take a look if I can find some time to write this.

For now you could use something along these lines:
'server1','server2' | ForEach-Object {
    $Computer = $_
    ([ADSI]("WinNT://$Computer/Administrators,group")).psbase.invoke(“Members”) | ForEach-Object {
        New-Object -TypeName PSCustomObject -Property @{
            Computer = $Computer
            AdminUser = $_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null)
        }
    }
}

Just to let you know.

Excellent thank you for your feedback!. 

I have just updated this project and also tested it on Windows 10 and 8.

Just tried it and did not work for me. What could be the issue?

PS C:\TEMP> .\Set-ADAccountasLocalAdministrator.ps1 -Computer 'UKPC001' -Trustee Dom\myuser
UKPC001
Adding 'myuser' to Administrators group on 'UKPC001'
WARNING: The following exception occurred while retrieving member "add": "The network path was not found.
"

Hello Ilkin, that error message seems to indicate a connectivity issue. This could be caused by the machine not existing, firewall blocking remote management or other network related issues.

What you could do to resolve this is to check if the machine responds to ping, if that works you could try another form of remote management. For example connecting to the machine using the computer management console to establish if the required services are running and available on the system.

Excellent exercise in error checking. Never heard of 'write-warning' or 'test-path' before. Thank you. But this illustrates perfectly what's required to allow a non-PS person to use a PS script; entire thing really is to execute one line of code: ([ADSI]"WinNT://$_/Administrators,group").add($Trustee). [Reminds me of the corporate change control process: a weeks worth of approvals for 60 seconds of 'change'.]

Indeed, many of the scripts I uploaded here can be executed as one-liners as well. I write a function or script to facilitate error handling, verbose output and pipeline functionality. Add in some comment based help functionality and a single line of code turns into anywhere in between a couple of dozens to several hundred lines of code.

Thank's for your script, but if local administrators group is named "administrators" ir's work but if it's name "Administrateurs" for french it doesn't work.
Could it be possible that your check the name of the local administrators group.
I think others language have the same problems.

Thanks for letting me know, this is indeed dependent on system localizations. I will look into this and update this in the next version of this script.

Jaap,

Thank's for your prompt answer.
I'm waiting the futur release.
I don't understand why people don't think International to developp script (Me too).
I think that developping a Function International will be the best.

I don't know how it is for other but for me when I write a script I usually start from what works for me personally. Testing for each regional setting is something that would consume a lot of time so I wasn't actually aware that this would not work.

That is why I am happy you pointed it out, because now I can fix it :) So thanks again for pointing this out.

Hello Jaap,
what is the syntax for piping the output to a file with powershell?

many thanks
richard

Currently that is not support, what kind of output would be useful for you?