Home / server / Questions / 120229
Accepted
Rihan Meij
Asked: 2010-03-08 20:44:40 +0800 CST

Adding a user to the local Administrator group using powershell

  • 772

I would like to use PowerShell to add a specific user to the local administrator group on a machine. I would be running the PowerShell script in the context of a user that has Administration rights on the local machine.

windows powershell automation

6 Answers

  1. On Server 2016 and Windows 10 Version 1607 and later you can use the new PowerShell local user cmdlets:

    Add-LocalGroupMember -Group Administrators -Member username

    This was added in Windows Management Framework (WMF) 5.1.

    The Microsoft.PowerShell.LocalAccounts module works fine on 2012 R2 if you just copy the files into a $env:PsModulePath location.

    • 31

  2. Here is a simple 2 line script that performs this function

    $group = [ADSI]("WinNT://"+$env:COMPUTERNAME+"/administrators,group")
$group.add("WinNT://$env:USERDOMAIN/usernameiwantoadd,user")

    For more information see Hey, Scripting Guy! How Can I Use Windows PowerShell to Add a Domain User to a Local Group?

    So there are a couple of notes. In the first line I used string concatenation, I didn't have to (see the next line) but I like to because it helps accentuate the variables I am using. Second, these lines will add a domain user, if you wanted to add a local user just remove $env:USERDOMAIN/

    • 16
  3. Best Answer

    This is the Advanced Function That I use to add a users to the local Administrator group using Powershell on several computers.

    Usage: Get-Content C:\Computers.txt | Set-LocalAdminGroupMembership -Account 'YourAccount'

    Function Global:Set-LocalAdminGroupMembership
{


    <#
    .Synopsis

    .Description

    .Parameter $ComputerName,

    .Example
     PS> Set-LocalAdminGroupMembership -ComputerName $ComputerName -Account 'YourAccount'

    .Link
     about_functions
     about_functions_advanced
     about_functions_advanced_methods
     about_functions_advanced_parameters

    .Notes
     NAME:      Set-LocalAdminGroupMembership
     AUTHOR:    Innotask.com\dmiller
     LASTEDIT:  2/4/2010 2:30:05 PM
     #Requires -Version 2.0
    #>



    [CmdletBinding()]
    param(
    [Parameter(Position=0, ValueFromPipeline=$true)]
    $ComputerName = '.',
    [Parameter(Position=1, Mandatory=$true)]
    $Account
    )


    Process
    {  

        if($ComputerName -eq '.'){$ComputerName = (get-WmiObject win32_computersystem).Name}    
        $ComputerName = $ComputerName.ToUpper()


        $Domain = $env:USERDNSDOMAIN

        if($Domain){
            $adsi = [ADSI]"WinNT://$ComputerName/administrators,group"
            $adsi.add("WinNT://$Domain/$Account,group")
            }else{
            Write-Host "Not connected to a domain." -foregroundcolor "red"
            }


    }# Process


}# Set-LocalAdminGroupMembership
    • 6

  4. Simple Step to add a domain user to the Administrators group:

    Add-LocalGroupMember -Group Administrators -Member $env:USERDOMAIN\<username>

    Note: Make sure you run PowerShell "As Administrator".

    • 3

  5. Here is another way to do this. This needs to be run in Administrator context:

    $domain=""
$computername= "$env:computername"
$group=$computer.psbase.children.find("administrators")

function AddToGroup($number)
{
     $group.add("WinNT://"+$domain+"/"+$number )
}

#Add these domain users/groups to the local administrator group
 AddToGroup ""
 AddToGroup ""

#Add these domain computer accounts to the local administrator group. 
#Computer accounts always end with $.
AddToGroup "$"

    More info on my website.

    • 0

  6. Adding account that already exists in the target security group raises and error so you need to check if account is already added, however my requirement was to be backward compatible down to PowerShell v2.0

    Below is the snippet I use to add a user to the local administrators group that works on older versions of PowerShell for Windows Servers prior 2016. The code example adds a service account used for custom IIS AppPool identity to the local Administrators group.

    $appPoolIdentity = "DOMAIN\svc-acc-name"
# check if user is already member of the local administrators group - using case insensitive string comparison
if(((invoke-command {net localgroup administrators}) -match ($appPoolIdentity -replace '\\','\\')).Count -eq 0){
    Write-Host "The app pool identity user '$appPoolIdentity' is not found in the local 'Administrators' group."
    # add user to the local administrators group
    $adminGroup = [ADSI]("WinNT://$env:COMPUTERNAME/administrators,group")
    $adminGroup.Add("WinNT://$appPoolIdentity,user")
    Write-Warning "Added '$appPoolIdentity' to the local 'Administrators' group."
}else{
    Write-Host "The app pool identity user '$appPoolIdentity' is already member of local 'Administrators' group."
}

    Credit for using net localgroup administrators in the if statement above goes to this blog post.

    • 0