Add domain user to local administrators group
As part of the SCCM system that I am implementing, I am trying to streamline and automate as many functions as possible. I currently have an SCCM Task Sequence set up that can run a complete computer install (partition disk, format, install Vista, apply device drivers, install programs, install updates, etc) with no administrative input. One aspect that I am not able to automate is adding the domain user to the local administrators group on the workstation. I don’t want to use Group Policy to add a group…I don’t want everyone to be an admin on all workstations. I want to limit it to just the user being an admin of their single computer.
I had hunted for a way to do this in as fast a way as possible, which rules out using the GUI…it needs to be scripted. I tried it in VBscript, but simply could not get it to successfully add a user who was in a sub-domain. It would work for the top domain, but not for the sub-domain.
So I switched my thought process to PowerShell. I don’t know that I will ever go back. I had a working script in probably ten minutes. I then modified it and gave it some better logic, but even that went quickly. Honestly, the part that took the longest was learning the syntax for PowerShell. The script is below. You can also download it here. (PDF…my hosting provider doesn’t allow script or txt file uploads.)
###################################################################
# Name: Add2Admin.ps1
# Author: Jarvis Davis
# Company: Campus Crusade for Christ
# Creation Date: April 2, 2008
#
# Purpose: To quickly and easily add/remove a domain user to/from
# the local administrators group on a computer
#
# Inputs: It accepts the first four strings after the script name
# and puts them into variables
#
# Usage: add2admin.ps1 username domainname computername action
# Actions are: Add and Remove. If no action is specified
# the script does not modify the group.
#
# Note: In an environment with one domain, you could modify the
# script to hardcode in the domain and shift the $args
# that are accepted to fit the variables.
#
# Acknowledgements: Portions of this script were originally posted on the
# following websites. A big thanks to the original authors!
#
# http://myitforum.com/cs2/blogs/yli628/archive/2007/08/30/powershell-script-to-add-remove-
# a-domain-user-to-the-local-administrators-group-on-a-remote-machine.aspx
# http://keithhill.spaces.live.com/blog/cns!5A8D2641E0963A97!676.entry
# http://www.microsoft.com/technet/scriptcenter/resources/qanda/mar08/hey0311.mspx
#
##################################################################$username = $args[0]
$domain = $args[1]
$strComputer = $args[2]
$action = $args[3]function IsNullOrEmpty($str)
{
if ($str)
{“”}
else
{“Please specify parameters for the script.”
“Usage: [Add2Admin.ps1 Username UserDomain ComputerName Action (Add/Delete)].”
“”
break
}
}
# Check to make sure that at least three arguments were passed via the command line.
IsNullOrEmpty $strComputer
#IsNullOrEmpty $username
#IsNullOrEmpty $domain$computer = [ADSI](“WinNT://” + $strComputer + “,computer”)
$computer.name$Group = $computer.psbase.children.find(“administrators”)
# This will list what’s currently in Administrator Group so you can verify the result
function ListAdministrators
{$members= $Group.psbase.invoke(“Members”) | %{$_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null)}
$members}ListAdministrators
“”# Depending on the value of the $action variable ($args[3]), either add/remove/do nothing to the admins group
if ($action -eq “Add”)
{$Group.Add(“WinNT://” + $domain + “/” + $username)}
elseif ($action -eq “Remove”)
{$Group.Remove(“WinNT://” + $domain + “/” + $username)}
else
{“No action was specified, so no action was taken.”
“Usage: [Add2Admin.ps1 Username UserDomain ComputerName Action (Add/Delete)].”
“”
}
ListAdministrators
“”
No comments yet.
Subscribe
Recent Comments
-
The Realm of the Verbal Processor 
Leave a Reply