Add a Domain User to the Local Administrators Group

When building out a workstation for an AD Domain user, in some environments the user is added to the local Administrators group to allow the user to install and configure applications. Now there are some of us who think that’s a Bad Idea and a Security Risk, but the reality is that it’s policy in some organizations. Doing this with the GUI is easy, but who wants to have to use the GUI for anything? Especially for a highly repetitive task that you’re going to have to do on every user’s workstation. So, let’s use PowerShell and [ADSI] to do the heavy lifting.

The first step is to define the target we want to add the user to:

$ComputerName = "workstation01"
$Group = "Administrators"

Next, we invoke the Add method on that target to add the user to the group.

$Domain = 'TreyResearch'
$UserName = 'Charlie.Russel'

And that’s really all there is to it.

(Note, by the way, that this is one of the only places in PowerShell where CASE MATTERS. the WinNT commands are case sensitive so don’t change that to winnt or WINNT. It won’t work. )

Finally, let’s pull all that together into a script that accepts the user name, the target computer, and the AD Domain as parameters:

Adds a user to the Local Administrators group
Add-myLocalAdmin adds a user to the local Administrators group on a computer. 
Add-myLocalAdmin Charlie.Russel 
Adds the TreyResearch user Charlie.Russel to the Administrators local group on the localhost.
Add-myLocalAdmin Charlie.Russel -ComputerName ws-crussel-01
Adds the TreyResearch user Charlie.Russel to the Administrators local group on ws-crussel-01.
Add-myLocalAdmin -UserName Charlie.Russel -ComputerName ws-crussel-01 -Domain Contoso
Adds the Contoso user Charlie.Russel to the Administrators local group on ws-crussel-01.
.Parameter UserName
The username to add to the Administrators local group. This should be in the format first.last. 
.Parameter ComputerName
[Optional] The computer on which to modify the Administrators group. The default is localhost
.Parameter Domain
[Optional] The user's Active Directory Domain. The default is TreyResearch.
    Author: Charlie Russel
 Copyright: 2017 by Charlie Russel
          : Permission to use is granted but attribution is appreciated
   Initial: 21 June, 2017 (cpr)
     $ComputerName = 'localhost',
     $Domain = 'TreyResearch'

$Group = 'Administrators'

# Please be warned. The syntax of [ADSI] is CASE SENSITIVE!


Author: Charlie Russel

A chemist by education, an electrician by trade, a UNIX sysadmin and Oracle DBA because he raised his hand when he should have known better, an IT Director and consultant by default, and a writer by choice, Charlie is the author of more than 2 dozen computer books on operating systems and enterprise environments, including Microsoft Windows Server 2008 Administrator's Companion(MS Press), Microsoft Windows Server 2003 Administrator's Companion(MS Press), Windows Small Business Server 2011 Administrator's Companion(MS Press), Windows Essential Business Server 2008(MS Press), Introducing Windows Server 2008 R2(MS Press), Microsoft Windows XP Resource Kit, 3rd Edition(MS Press), and Oracle DBA Scripting Quick Reference(Prentice-Hall PTR). He has also written numerous white papers and case studies on, most recently around Windows HPC Server, and RDS Licensing.

Leave a Reply

Your email address will not be published. Required fields are marked *