When building out a workstation for an AD Domain user, in some environments the user is added to the local Administrators group to allow the user to install and configure applications. Now there are some of us who think that’s a Bad Idea and a Security Risk, but the reality is that it’s policy in some organizations. Doing this with the GUI is easy, but who wants to have to use the GUI for anything? Especially for a highly repetitive task that you’re going to have to do on every user’s workstation. So, let’s use PowerShell and [ADSI] to do the heavy lifting.
The first step is to define the target we want to add the user to:
$ComputerName = "workstation01" $Group = "Administrators" $target=[ADSI]"WinNT://$ComputerName/$Group,group"
Next, we invoke the Add method on that target to add the user to the group.
$Domain = 'TreyResearch' $UserName = 'Charlie.Russel' $target.psbase.Invoke("Add",([ADSI]"WinNT://$Domain/$UserName").path)
And that’s really all there is to it.
(Note, by the way, that this is one of the only places in PowerShell where CASE MATTERS. the WinNT commands are case sensitive so don’t change that to winnt or WINNT. It won’t work. )
Finally, let’s pull all that together into a script that accepts the user name, the target computer, and the AD Domain as parameters:
<# .Synopsis Adds a user to the Local Administrators group .Description Add-myLocalAdmin adds a user to the local Administrators group on a computer. .Example Add-myLocalAdmin Charlie.Russel Adds the TreyResearch user Charlie.Russel to the Administrators local group on the localhost. .Example Add-myLocalAdmin Charlie.Russel -ComputerName ws-crussel-01 Adds the TreyResearch user Charlie.Russel to the Administrators local group on ws-crussel-01. .Example Add-myLocalAdmin -UserName Charlie.Russel -ComputerName ws-crussel-01 -Domain Contoso Adds the Contoso user Charlie.Russel to the Administrators local group on ws-crussel-01. .Parameter UserName The username to add to the Administrators local group. This should be in the format first.last. .Parameter ComputerName [Optional] The computer on which to modify the Administrators group. The default is localhost .Parameter Domain [Optional] The user's Active Directory Domain. The default is TreyResearch. .Inputs [string] [string] [string] .Notes Author: Charlie Russel Copyright: 2017 by Charlie Russel : Permission to use is granted but attribution is appreciated Initial: 21 June, 2017 (cpr) ModHist: : #> [CmdletBinding()] Param( [Parameter(Mandatory=$True,Position=0)] [alias("user","name")] [string] $UserName, [Parameter(Mandatory=$False,Position=1)] [string] $ComputerName = 'localhost', [Parameter(Mandatory=$False)] [string] $Domain = 'TreyResearch' ) $Group = 'Administrators' # Please be warned. The syntax of [ADSI] is CASE SENSITIVE! $target=[ADSI]"WinNT://$ComputerName/$Group,group" $target.psbase.Invoke("Add",([ADSI]"WinNT://$Domain/$UserName").path)