I built 38 new servers and needed to add a domain group to the local administrator group of all of them. Instead of using computer management (compmgmt.msc) to connect to each one, or a GPO, I decided to use PowerShell, and found it’s actually pretty simple to do.


Here’s how we list local admins:
First you have to get the group itself: $group =[ADSI]"WinNT://$server/Administrators" Then you have to get the members of that group: $admins = @($group.psbase.Invoke("Members")) Now to output those members: $admins | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)

Adding is just as simple:
Get the domain group: $adgroup =[ADSI]"WinNT://domain/$admingroup" Obviously you’ll have to change ‘domain’ to the fqdn of your domain. Next we get the local group, same as we did above: $localgroup =[ADSI]"WinNT://$server/Administrators" Now we add the domain group to the local group: $localGroup.PSBase.Invoke("Add",$adgroup.PSBase.Path) You can run them separately, but I tied it all together to come up with my script so it shows me which server it’s working on and lists local admins when it’s done.

Servers and Admingroups are an array and can be specified like this: Set-LocalAdmins.ps1 -servers ("host1","host2","host3") -admingroups ("group1","group2","group3") or Set-LocalAdmins.ps1 -servers host1 -admingroups group1

Here’s the script itself (don’t forget to change ‘domain’ on line 10 to the fqdn of your):

param([string[]]$servers = $null, [string[]]$admingroups = $null)
 
function AddGroup(){
Foreach ($server in $servers){
    $ping = gwmi win32_pingstatus -filter "Address='$server'"
    #if it pings, check it
    if($ping.statuscode -eq 0){
        write-host -foregroundcolor "green" `n `t "Now working on $server"
        Foreach ($admingroup in $admingroups){
            $adgroup =[ADSI]"WinNT://corp.domain.com/$admingroup"
            $localgroup =[ADSI]"WinNT://$server/Administrators"
            $localGroup.PSBase.Invoke("Add",$adgroup.PSBase.Path)
        }
        $localadmingroup =[ADSI]"WinNT://$server/Administrators"
        $admins = @($localadmingroup.psbase.Invoke("Members")) 
        $admins | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)} 
        }
    else{write-host -foregroundcolor Red `n`t "$server is not pingable" `n}
}
}
 
Function Usage(){
	Write-host -foregroundcolor green `n`t"This script is used to add domain groups to local admins."
	Write-host -foregroundcolor green `n`t"You can specify -servers and -admingroups as arrays:"
	write-host -foregroundcolor yellow `n`t`t"Set-LocalAdmins.ps1 -servers (`"host1`",`"host2`",`"host3`") -admingroups (`"group1`",`"group2`",`"group3`")"
	Write-host -foregroundcolor green `n`t"or specify each individually:"
	write-host -foregroundcolor yellow `n`t`t"Set-LocalAdmins.ps1 -servers host1 -admingroups group1" `n
}
 
if (($servers -eq $null) -or ($admingroups -eq $null)){
Usage
Break
}
 
AddGroup