I built 38 new servers and needed to add a domain group to the local administrator group of all of them. Instead of using computer management (compmgmt.msc) to connect to each one, or a GPO, I decided to use PowerShell, and found it’s actually pretty simple to do.
Here’s how we list local admins:
First you have to get the group itself: $group =[ADSI]"WinNT://$server/Administrators" Then you have to get the members of that group: $admins = @($group.psbase.Invoke("Members")) Now to output those members: $admins | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
Adding is just as simple:
Get the domain group: $adgroup =[ADSI]"WinNT://domain/$admingroup" Obviously you’ll have to change ‘domain’ to the fqdn of your domain. Next we get the local group, same as we did above: $localgroup =[ADSI]"WinNT://$server/Administrators" Now we add the domain group to the local group: $localGroup.PSBase.Invoke("Add",$adgroup.PSBase.Path) You can run them separately, but I tied it all together to come up with my script so it shows me which server it’s working on and lists local admins when it’s done.
Servers and Admingroups are an array and can be specified like this: Set-LocalAdmins.ps1 -servers ("host1","host2","host3") -admingroups ("group1","group2","group3") or Set-LocalAdmins.ps1 -servers host1 -admingroups group1
Here’s the script itself (don’t forget to change ‘domain’ on line 10 to the fqdn of your):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
param([string[]]$servers = $null, [string[]]$admingroups = $null) function AddGroup(){ Foreach ($server in $servers){ $ping = gwmi win32_pingstatus -filter "Address='$server'" #if it pings, check it if($ping.statuscode -eq 0){ write-host -foregroundcolor "green" `n `t "Now working on $server" Foreach ($admingroup in $admingroups){ $adgroup =[ADSI]"WinNT://corp.domain.com/$admingroup" $localgroup =[ADSI]"WinNT://$server/Administrators" $localGroup.PSBase.Invoke("Add",$adgroup.PSBase.Path) } $localadmingroup =[ADSI]"WinNT://$server/Administrators" $admins = @($localadmingroup.psbase.Invoke("Members")) $admins | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)} } else{write-host -foregroundcolor Red `n`t "$server is not pingable" `n} } } Function Usage(){ Write-host -foregroundcolor green `n`t"This script is used to add domain groups to local admins." Write-host -foregroundcolor green `n`t"You can specify -servers and -admingroups as arrays:" write-host -foregroundcolor yellow `n`t`t"Set-LocalAdmins.ps1 -servers (`"host1`",`"host2`",`"host3`") -admingroups (`"group1`",`"group2`",`"group3`")" Write-host -foregroundcolor green `n`t"or specify each individually:" write-host -foregroundcolor yellow `n`t`t"Set-LocalAdmins.ps1 -servers host1 -admingroups group1" `n } if (($servers -eq $null) -or ($admingroups -eq $null)){ Usage Break } AddGroup |
Ping back from http://techibee.com/active-directory/powershell-adding-a-domain-group-to-local-administrators-group-on-remote-computer/1280
This is a very useful script! I’m modifying it to work with a text file, so that I can make modifications to 50 servers without typing all of them out in array fashion. Thank you for sharing it.
Awesome, glad I could help!
I know this is an old post, but hoping that you may be able to help.
How can I pass domain credentials to the server so that I may list the groups available without being logged in with an account that has domain rights?
Is there anything else i need to edit besides the domain on line 10 for the script to work? I also, added the server names and group on line 25 then ran it but nothing happens. It just outputs the information that’s in the script only.