Add AD User/Group to Local Administrator Group

Hi, I'm trying to achieve the following and I'm hoping your script will be a good place to start.

So in AD we create 2 new groups per server, like SQL01-A and SQL01-R the -A relates to local admin and -R to local RDP access. These groups are then added manually to the server. Then if we have temp user/contractors etc etc start that needs access to server X, Y we can add them to these groups as need in AD and that grants them the correct rights locally. It also great to have this central visible view of rights in the IT estate.

So the question is can this be automated using your script. I'm thinking it could be used alongside SCCM baselines. For example, the baseline would checks if a group exists locally on a server, named %hostname%-A and -R and if they don't it would create them in AD and then add them to the server. 

Creating the groups in AD is not possible from this script, but you can use the hostname of the server as part of the group name, for example you could do something along these lines:

.\Set-ADAccountasLocalAdministrator.ps1.ps1 -Computer Server01 -Trustee "$($env:computername)-A"

I'm running your script as a Domain Admin, plus as a Local Admin on my laptop to test.  I'm getting this error message and I'm not able to figure out why.  Hopefully, you'll have a solution for me.

Can you specify the exact command you are executing in order to get this error? Also please mention which operating system and PowerShell version you are using?

This error should normally only occur when you are running as a non-administrative user, can you verify that you are running in an 'elevated' console, a PowerShell console started with 'Run as Administrator'

Hello Sir

I want to check whether an AD Group "Pz\Pq server Admins" is a part of Local Administrator on list of servers.

That is a good question, currently I only have a script only that sets users in the local administrative group. It would be a nice addition to also write a script that also gathers this information. I will take a look if I can find some time to write this.

For now you could use something along these lines:
'server1','server2' | ForEach-Object {
    $Computer = $_
    ([ADSI]("WinNT://$Computer/Administrators,group")).psbase.invoke(“Members”) | ForEach-Object {
        New-Object -TypeName PSCustomObject -Property @{
            Computer = $Computer
            AdminUser = $_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null)
        }
    }
}

Just to let you know.

Excellent thank you for your feedback!. 

I have just updated this project and also tested it on Windows 10 and 8.

Just tried it and did not work for me. What could be the issue?

PS C:\TEMP> .\Set-ADAccountasLocalAdministrator.ps1 -Computer 'UKPC001' -Trustee Dom\myuser
UKPC001
Adding 'myuser' to Administrators group on 'UKPC001'
WARNING: The following exception occurred while retrieving member "add": "The network path was not found.
"

Hello Ilkin, that error message seems to indicate a connectivity issue. This could be caused by the machine not existing, firewall blocking remote management or other network related issues.

What you could do to resolve this is to check if the machine responds to ping, if that works you could try another form of remote management. For example connecting to the machine using the computer management console to establish if the required services are running and available on the system.

Excellent exercise in error checking. Never heard of 'write-warning' or 'test-path' before. Thank you. But this illustrates perfectly what's required to allow a non-PS person to use a PS script; entire thing really is to execute one line of code: ([ADSI]"WinNT://$_/Administrators,group").add($Trustee). [Reminds me of the corporate change control process: a weeks worth of approvals for 60 seconds of 'change'.]

Indeed, many of the scripts I uploaded here can be executed as one-liners as well. I write a function or script to facilitate error handling, verbose output and pipeline functionality. Add in some comment based help functionality and a single line of code turns into anywhere in between a couple of dozens to several hundred lines of code.

Thank's for your script, but if local administrators group is named "administrators" ir's work but if it's name "Administrateurs" for french it doesn't work.
Could it be possible that your check the name of the local administrators group.
I think others language have the same problems.

Thanks for letting me know, this is indeed dependent on system localizations. I will look into this and update this in the next version of this script.

Jaap,

Thank's for your prompt answer.
I'm waiting the futur release.
I don't understand why people don't think International to developp script (Me too).
I think that developping a Function International will be the best.

I don't know how it is for other but for me when I write a script I usually start from what works for me personally. Testing for each regional setting is something that would consume a lot of time so I wasn't actually aware that this would not work.

That is why I am happy you pointed it out, because now I can fix it :) So thanks again for pointing this out.

Hello Jaap,
what is the syntax for piping the output to a file with powershell?

many thanks
richard

Currently that is not support, what kind of output would be useful for you?

I am curious if it's possible to run this as a specific user much like the add-admin.ps1 script on the Technet does?  I have tried and failed to add that functionality to this utility but I'm afraid I'm just not very versed in Powershell...

Hello Dewplex,

I am unsure what you mean, do you mean running this script with a different set of credentials? If that is what you want you could run this script using a PowerShell session, or by using Invoke-Command.

Hello Jaap,

I am trying to run the script but got this error:

PS C:\Users\aarwf\documents> ".\Set-ADAccountasLocalAdministrator.ps1" -Computer CNc.nih.gov -Trustee NIH\irtsecurefusion
At line:1 char:43
+ ".\Set-ADAccountasLocalAdministrator.ps1" -Computer CNc.nih.gov -Trustee NIH\irt ...
+                                           ~~~~~~~~~
Unexpected token '-Computer' in expression or statement.
At line:1 char:53
+ ".\Set-ADAccountasLocalAdministrator.ps1" -Computer CNc.nih.gov -Trustee NIH\irt ...
+                                                     ~~~~~~~~~~~
Unexpected token 'CNc.nih.gov' in expression or statement.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

Can you please help?

thanks

Ron