Add AD User/Group to Local Administrator Group

The script can use either a plain text file containing a list of computername or a computer name as input and will add the trustee (AD user or group) as an administrator to the specified computer(s). The script will report back errors if the account is already a member.

 
 
 
 
 
4.2 Star
(63)
67,535 times
Add to favorites
11/12/2015
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • remove
    3 Posts | Last post November 24, 2013
    • Nice script, works great for me.
      Do you have a similar script to remove accounts/groups from local admin group?
      
    • Not yet, but I can see the benefit of having such a script. I will post an update here once I have created and uploaded it to TechNet
    • Thanks for sharing !
  • Script will not run. Aborts with an error/
    1 Posts | Last post November 06, 2013
    • Hello,
      When I tried to run this script on a Windows XP Pro computer, it abends with the following error:
      
      Missing closing ')' in expression.
      At P:\Downloads\PowerShell Scripts\Set-ADAccountasLocalAdministrator.ps1:48 char:5
      +     [ <<<< string]
      
      I extracted the script from the downloaded ZIP file and have not modified it in any way. What might be the problem?
  • Path not found
    2 Posts | Last post October 10, 2013
    • Hello,
      
      Thanks for making this script. I get the following error when trying to execute.
      
      WARNING: The following exception occurred while retrieving member "add": "The network path was not found."
      
      I am able to RDP & Ping the node. Would script execution disabled cause this problem? Sorry for the noob question. 
    • What is the exact code that you are using the execute the code? If you post that I should be able to troubleshoot what is causing this problem.
      
      If script execution is disabled locally then you would not be able to get this message. The policy on the remote machine does not matter, even if the remote machine does not have PowerShell installed this script should be able to add users to that machines groups.
  • Adding Domain Groups to local Administrator
    6 Posts | Last post October 01, 2013
    • Hello,
      
      i would like to know, if there is a way to add Domain Groups automatically to the local Administrators.
      I read all posts before and saw Saeidans Question, which hits my requirements exactly. In my current enviroment, it's not possible to use GPO's.
      Any idea's, how to solve my problem? 
      
      best regards
      
      m3ta
      
    • If you have a list of computers of which a certain group or number of groups need to be added to then you can do a number of things:
      - Schedule the groups to be added when the computer is deployed
      - Run the script from a central location and run the script against a number of computers, assuming all systems are currently online
      
      What scenario would work for you?
    • I think the second scenario is the right one. 
      But there is one problem to solve. The only account i am able to use for an remote powershell session is the Administrator Account. So i have to configure the Server, to be able to login remotely. Any Tuts?  
      
      The Script, to add several AD Groups to die local Administrators , while im logged in with MY personal ADAccount , ist ready. 
      I used your Script with multiple changes. I would share my solution, if someone is interested.
      
      
    • I would be interested in seeing what you have done, please do share your solution!
    • http://pastebin.com/RKpxHQNP
      This is "my" solution. 
      - remotelogin while using local Administrator Account
      - Adding Domain Groups / Users to local Administrators using Domainaccount
      - Adding Computerdescription
      - Adding SNMP Community Name
      - Adding SNMP Agent Location
      - Adding SNMP Agent Contact
      
      THIS Script was made for the GERMAN Administrators Group(Administratoren). 
      If you use a diffent System Language, you have to edit this script.
      
    • Before using this Script, you have to run this Commands:
      
      Server: 
      Enable-PSRemoting -Force
      set-executionpolicy unrestricted 
      
      Your Computer:
      set-executionpolicy unrestricted 
      
      
  • I have a similar error
    3 Posts | Last post September 26, 2013
    • instead of 
      The following exception occurred while retrieving member "add":"the group name can not be found"
      I get
      The following exception occurred while retrieving member "add":"the network path was not found"
      
    • a stupid space after each computer name!
    • Ah excellent, glad to see you fixed your own problem. Hope the script works correctly for you!
  • Error adding a group with spaces as Trustee
    3 Posts | Last post September 26, 2013
    • I'm trying to add one of our AD groups in our "built-in" OU to the local "Event Log Readers" group on a server.  The AD group I want to add is also called "Event Log Readers"
      
      When I run the command (which I modified the file name slightly) .\Set-ADGroupasLocalEventLogReaders.ps1 -Computer Abernethy-NUB -Trustee 'Event Log Readers' I get the following error:
      
      WARNING: Exception calling "add" with "1" argument(s): "A member could not be
      added to or removed from the local group because the member does not exist."
      
      I tried without the '' and I tried with "" but it doesn't seem to work when trying to add a group name with spaces in it as a Trustee.  Thoughts?
    • Hmm.. it appears that it doesn't like ANY groups in the Builtin OU.  I worked around this by creating new groups (without spaces in the name) and used those instead.
    • Indeed, I have tried to look for a workaround but the .Add method does not seem to support built-in groups. I will have to look into this to find a proper solution for this. Thanks for reporting this!
  • Do you have a similar PS1 to remove users or groups?
    2 Posts | Last post September 13, 2013
    • Many thanks for this script!  Saved me hours of work!
    • No problem, thanks for taking the time to let me know you like the script!
  • The group name can not be found
    7 Posts | Last post August 09, 2013
    • Hi Jaap!
      
      I try to add a user 'DAX' (display name: David Axis / dax@em-domain.com) of the domain 'EM-DOMAIN' to the admin local group of the computer 'POEMBLGDAX' but when I do like this [.Set-ADAccountasLocalAdministrator.ps1 -computer 'POEMBLGDAX' -trustee EM-DOMAIN\DAX] it says 'the group name can not be found' thus it's a user, not a group! Any idea?
      
      Thanks! ;-)
    • Depends where the error is generated. Could you copy paste exactly what you typed in the console and the exact error message and post it here, then I can get a better understanding of what is going wrong.
      
      Also I noticed you had a square brack behind dax], did you also type that when you were trying to execute the script? For the script to work the domain and samaccountname should match exactly.
    • Hi Japp, thanks for your quick reply!
      
      This is exactly what I write:
      
      .Set-ADAccountasLocalAdministrator.ps1 -computer 'POEMBLGDAX' -trustee EM-PDOMAIN\DAX
      
      And I get the following error:
      
      The following exception occurred while retrieving member "add":"the group name can not be found"
      
      That's almost everything I have!
    • The 'EM-PDOMAIN\DAX' where correctly written in the shell. ;-)
    • Well the only scenario which I can imagine that happening is when the group actually does not exist. This can be the case on systems on which the Administrators group has either been renamed or because of regional localization has a different name.
      
      Could you execute the following line of code, it will list all the groups available on the POEMBLGDAX computer:
      ([adsi]"WinNT://poemblgdax,computer").psbase.children | Where-Object {$_.psbase.schemaclassname -eq 'group'} | ForEach-Object {$_.psbase.name}
      
      Can you verify that the 'Administrators' group actually exist on that system?
      
    • That's it! My OS is in French and therefore I've replaced "Administrators" by "Administrateurs" and it works, now! Thanks a lot for your help. ;-)
    • No problem, I should look into automatic detection for localized and renamed administrative groups. I will probably add this in a future version!
  • error when running the script with an input file.
    4 Posts | Last post July 22, 2013
    • Here is the error I am getting.  
      PS C:\scripts\scripts> .\Set-ADAccountasLocalAdministrator.ps1 -InputFile BIM_TEST_DEV_Servers.txt -Trustee RDP-TestDev-BIM
      Adding 'RDP-TestDev-BIM' to Administrators group on 'nassasql01t,'
      WARNING: The following exception occurred while retrieving member "add":
      "Unknown error (0x80005000)"
    • Most likely because your inputfile does not contain the right names. What I can tell from your output is that your computer name includes a comma character. This causes the LDAP/WINNT providers to fail. Could you check your file for comma characters and remove those to verify if that resolves your issue?
    • Thanks, that was it.  Now I am having a different issue.  What modifications can be made to use the domain\securitygroup format?  We have 2 domains with a full trust and the group I want to add belongs to domain1 while the some computers belong to the domain2, so I am getting the error: "WARNING: Exception calling "add" with "1" argument(s): "Access is denied.".  If I try running it using my domain2 admin account the domain1\securitgroup cannot be found because it is only looking in domain2.
      Thanks again  
    • I have updated the script to be able to use the domain\user notation, let me know if it works better now. Version 1.1 has basic support built-in for this.
  • Add users of domain to computer
    2 Posts | Last post July 18, 2013
    • I executed the script as:
      .\Set-ADAccountasLocalAdministrator.ps1 -Computer mycomputername -Trustee MYDOMAINCONTROLLER\myuserindomain
      
      and I am getting this error:
      WARNING: User 'MYDOMAINCONTROLLER\myuserindomain' not found in AD, please input correct SAM Account
      
      What could be the mistake?
    • The script checks for the samaccountname of the user, so if you use contoso\administrator it will fail. Try changing your command to the following:
      
      .\Set-ADAccountasLocalAdministrator.ps1 -Computer mycomputername -Trustee myuserindomain
41 - 50 of 51 Items