Add a Domain User to the Local Administrators Group

Ask your Windows PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
User avatar
bhnuser
Posts: 42
Joined: Fri Apr 06, 2018 7:35 am

Add a Domain User to the Local Administrators Group

Post by bhnuser » Wed Jul 03, 2019 5:52 am

Hello everybody,

i need your help with my snippet. I would like, as the title says, to add a domain user to the Administrators group on a local machine on the network. The problem is that I run the script with a normal user without admin rights. Is it possible to pass an Admin user to the script below to run it. The snippet will be added to a PowerShell project.

Code: Select all

$DomainUser = "SamAccountName"
$LocalGroup = "Administrators"
$Computer   = $env:computername
$Domain     = $env:userdomain

([ADSI]"WinNT://$Computer/$LocalGroup,group").psbase.Invoke("Add",([ADSI]"WinNT://$Domain/$DomainUser").path)

User avatar
jvierra
Posts: 13798
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Add a Domain User to the Local Administrators Group

Post by jvierra » Wed Jul 03, 2019 8:28 am

You will have to connect ADSI using the full type.
See: https://docs.microsoft.com/en-us/dotnet ... ationTypes_

User avatar
bhnuser
Posts: 42
Joined: Fri Apr 06, 2018 7:35 am

Re: Add a Domain User to the Local Administrators Group

Post by bhnuser » Wed Jul 03, 2019 11:42 pm

Okay, I've read the article ready. But what about the syntax in PowerShell?

User avatar
jvierra
Posts: 13798
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Add a Domain User to the Local Administrators Group

Post by jvierra » Thu Jul 04, 2019 12:45 pm

To add a user to the local admin group on the current system (excluding DCs) -

Add-LocalGroupMember -Group Administrators -Member domain\userid

You will not be able to establish remote domain credentials if AD has not been configured to allow this. To do this as a domain admin use "RunAs" with domain credentials to start PowerShell.

Assuming that AD has been set up then use this to see how to connect with credentials.

[adsi]::New

Look at the constructor options and refer to the documentation for how to use them.

User avatar
jvierra
Posts: 13798
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Add a Domain User to the Local Administrators Group

Post by jvierra » Thu Jul 04, 2019 1:18 pm

Also be aware that you cannot remotely authenticate with domain credentials and add members to a group that are domain accounts.

User avatar
bhnuser
Posts: 42
Joined: Fri Apr 06, 2018 7:35 am

Re: Add a Domain User to the Local Administrators Group

Post by bhnuser » Wed Jul 10, 2019 10:54 pm

Thank you for the help jvierra.
I build now a workaround and it works fine. Here is the snippet:

Code: Select all

$localAdminUser = "WinNT://$($env:USERDOMAIN)/$($selectedUserLocalAdmin.SamAccountName)"
Invoke-Command $ADSession -Scriptblock {
				param ([string]$t3 = $Computer,
					[string]$t4 = $username) ([ADSI]"WinNT://$t3/Administrators,group").add($t4)
			} -ArgumentList $selectedComputer.Name, $localAdminUser
It works, because i build build a session to our DomainController when i start the script. So i can use Invoke-Command with the session.

Locked