Add AD User/Group to Local Administrator Group

Hello Jaap,

I am trying to run the script but got this error:

PS C:\Users\aarwf\documents> ".\Set-ADAccountasLocalAdministrator.ps1" -Computer CNc.nih.gov -Trustee NIH\irtsecurefusion
At line:1 char:43
+ ".\Set-ADAccountasLocalAdministrator.ps1" -Computer CNc.nih.gov -Trustee NIH\irt ...
+                                           ~~~~~~~~~
Unexpected token '-Computer' in expression or statement.
At line:1 char:53
+ ".\Set-ADAccountasLocalAdministrator.ps1" -Computer CNc.nih.gov -Trustee NIH\irt ...
+                                                     ~~~~~~~~~~~
Unexpected token 'CNc.nih.gov' in expression or statement.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

Can you please help?

thanks

Ron

Ran your script and got:

PS C:\Users\vision\Desktop> .\Set-ADAccountasLocalAdministrator.ps1 -Trustee vision
C:\Users\vision\Desktop\Set-ADAccountasLocalAdministrator.ps1 : Parameter set cannot be resolved using the specified named parameters.
At line:1 char:1
+ .\Set-ADAccountasLocalAdministrator.ps1 -Trustee vision
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-ADAccountasLocalAdministrator.ps1], ParameterBindingException
    + FullyQualifiedErrorId : AmbiguousParameterSet,Set-ADAccountasLocalAdministrator.ps1
 

Hi Jaap,

May I know the port requirements for running this script? Lets say the local and target machines are on different subnets with a physical firewall in between?

Many thanks.

Hi Jaap,

Your script to add users to the Local Admin group worked great.  How would I go about changing it to Remove Users from Local Admin group?

Hi There Jaap,
Here is my situation. Hope you can help me. I have a file that has the MAC addresses, Computernames and AD usernames. Once the laptop has joined the domain I would like to run this script where it checks the above text/csv file and adds the corresponding user (based on the computername) to the local admins group on the laptop.
Hope this makes sense.
Would love it if you can help out.
Cheers
Dan

Sure that seems relatively simple, what you can do is the following assuming you have a csv file with columns named computername and username, if not change it accordingly:
Import-Csv -Path InputForLocalAdmins.csv | ForEach-Object {
   .\Set-ADAccountasLocalAdministrator.ps1 -Computer $_.computername -Trustee $_.username
}

Sorry Jaap,
Does that mean I put in the above code at the top of the script file and then run it?
Cheers
Dan

Assuming you are in the same folder as the script you can just run the code. If you are not in the same folder you should enter the complete path of the Set-ADAccountasLocalAdministrator script.

Hi Jaap,
Thanks very much for your help. Unfortunately powershell scripts have been disabled on the computers. I dont know if its a GP or something else like me not enabling PS1. Either way I was wondering if you can convert it to VBScript. I know they work. So that I can still use a csv file to import the data.
Thanks heaps mate.
Dan

Assuming you have domain administrative credentials you could create an OU that has policy inheritance blocked and place the computer object of your management server in there. This will allow you to execute the script. You could also check if the PowerShell execution policy is set to the correct level, verify this by typing the following:
Get-ExecutionPolicy
Set-ExecutionPolicy Unrestricted -Force

Although it is possible to do this in vbscript I would advise getting PowerShell up and running in your environment as it is an order of magnitude more useful in a corporate environment.

Hi Jaap,
Great got. Powershell working yeah!!! Thanks mate 
"Set-ExecutionPolicy Unrestricted -Force"

Now I come across another problem. When I run it, it sits and tries to add the usernames to their corresponding computers in the csv file around the network. Is there a way to only detect the local computerName and add the relavant userName to this current computer. 

Thanks Jaap
Dan

Yes you could, depending on the list of user names you would like to add to the local computer you could do something along these lines:
Import-Csv -Path InputForLocalAdmins.csv | ForEach-Object {
   .\Set-ADAccountasLocalAdministrator.ps1 -Computer $env:computername -Trustee $_.username
}
This will add all usernames listed in the csv file to the current computer. I am using the environment variable computername to determine the local computer name. Is that what you meant?

Sorry Jaap,
That's not what I require. If for instance there are 100 laptops and 100 users. I would like each of the laptops to have it's corresponding user as the local administrator. I might only issue 1 or 2 laptops each month and will not know the username of the next user that will have the next laptop. The reaon why I want the names there is that when I re-image(Ghost) the laptop, the user details for that particular laptop will be retireved from the .csv file. So I dont want the script to add the all user details to all the laptops at one run, but at different runs when needed.
computername	username
Laptop001	User1
Laptop002	User2
Laptop003	User3
Laptop004	User4
Laptop005	User5

Hope this makes sense. 
Thank you so much
Regards

Yes that makes sense, then you can change the code to look like this:
Import-Csv -Path InputForLocalAdmins.csv | ForEach-Object {
   .\Set-ADAccountasLocalAdministrator.ps1 -Computer $_.computername -Trustee $_.username
}
How does that work for you?

Hi Japp!

I'm trying to do that with a CSV file 20 laptops and 20 different users but when I run the script, I can read "Please Input Trustee" and then "Please Imput computer name" and regarding your explanation, I understand that the proccess has to be automatic. That's correct? so I don't understand where is failing.
CSV is so

Computername		Username
Computer1		8146
Computer1	7023
Computer1		7472
Computer1		c2357
Computer1		c301a
Computer1		c243o
Computer1		c301d
Computer1		c3553
Computer1		c327f
Computer1		c343c


Thanks!

Good afternoon, 
I'm new in the management of scripts, and I would do this test with your script that looks sensational. Well, how do I run it in a GPO? and what parameters should I put in the file to make it work? 

Thanks and I await response.

I have a situation where i need to re add a domain administrative account to the local administrators group on a remote computer where i know the local admin account credentials, can i accomplish this using your script

They are typo mistakes in your script description
The script name should "Set-ADAccountasLocalAdministrator.ps1", not "Get-Set-ADAccountasLocalAdministrator.ps1.ps1". They are also located in this page and the content of the script description.

Hi Jaap-

I would like to know how to add the helpdesk domain user to the local admin security group on my domain? I get the following error.

The term 'Get-Set-ADAccountasLocalAdministrator.ps1.ps1' is not recognized as the name of a cmdlet, function, script fi
le, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
 try again.
At line:1 char:46
+ Get-Set-ADAccountasLocalAdministrator.ps1.ps1 <<<<  -Computer hyvjvm1 -Trustee progenics\helpdesk
    + CategoryInfo          : ObjectNotFound: (Get-Set-ADAccou...strator.ps1.ps1:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Because it is a typo mistake in his script
The script name should "Set-ADAccountasLocalAdministrator.ps1", not "Get-Set-ADAccountasLocalAdministrator.ps1.ps1"

This script ROCKS.  Saved me so much time.  Any chance we can get one for REMOVING user/group?