19

I would like to use PowerShell to add a specific user to the local administrator group on a machine. I would be running the PowerShell script in the context of a user that has Administration rights on the local machine.

EEAA
  • 108,414
  • 18
  • 172
  • 242
Rihan Meij
  • 547
  • 1
  • 4
  • 10
  • See also [Windows Local Account and Group Maintenance][1]. [1]: http://serverfault.com/questions/31058/windows-local-account-and-group-maintenance – Nathan Hartley Feb 24 '11 at 17:19

6 Answers6

31

On Server 2016 and Windows 10 Version 1607 and later you can use the new PowerShell local user cmdlets:

Add-LocalGroupMember -Group Administrators -Member username

This was added in Windows Management Framework (WMF) 5.1.

The Microsoft.PowerShell.LocalAccounts module works fine on 2012 R2 if you just copy the files into a $env:PsModulePath location.

Peter Hahndorf
  • 13,763
  • 3
  • 37
  • 58
  • 1
    Be careful, the group "Administrators" might be called different depending on your locale, on a German system it is "Administratoren". – Panki May 21 '19 at 14:03
  • You can also add an AD group this way, eg: Add-LocalGroupMember -Group Administrators -Member "CONTOSO\Domain Admins" – KERR May 11 '20 at 06:35
16

Here is a simple 2 line script that performs this function

$group = [ADSI]("WinNT://"+$env:COMPUTERNAME+"/administrators,group")
$group.add("WinNT://$env:USERDOMAIN/usernameiwantoadd,user")

For more information see Hey, Scripting Guy! How Can I Use Windows PowerShell to Add a Domain User to a Local Group?

So there are a couple of notes. In the first line I used string concatenation, I didn't have to (see the next line) but I like to because it helps accentuate the variables I am using. Second, these lines will add a domain user, if you wanted to add a local user just remove $env:USERDOMAIN/

chicks
  • 3,639
  • 10
  • 26
  • 36
Jim B
  • 23,938
  • 4
  • 35
  • 58
  • I would like to run this script on workstations in such a way that the person running the script can type in a username. Hence the Read-Host – Rihan Meij Mar 09 '10 at 08:09
  • 1
    so in that case make the first line $userInput = Read-Host "Enter username to add to the local admin group" then use $userinput where is says usernameiwantoadd – Jim B Mar 09 '10 at 14:27
6

This is the Advanced Function That I use to add a users to the local Administrator group using Powershell on several computers.

Usage: Get-Content C:\Computers.txt | Set-LocalAdminGroupMembership -Account 'YourAccount'

Function Global:Set-LocalAdminGroupMembership
{


    <#
    .Synopsis

    .Description

    .Parameter $ComputerName,

    .Example
     PS> Set-LocalAdminGroupMembership -ComputerName $ComputerName -Account 'YourAccount'

    .Link
     about_functions
     about_functions_advanced
     about_functions_advanced_methods
     about_functions_advanced_parameters

    .Notes
     NAME:      Set-LocalAdminGroupMembership
     AUTHOR:    Innotask.com\dmiller
     LASTEDIT:  2/4/2010 2:30:05 PM
     #Requires -Version 2.0
    #>



    [CmdletBinding()]
    param(
    [Parameter(Position=0, ValueFromPipeline=$true)]
    $ComputerName = '.',
    [Parameter(Position=1, Mandatory=$true)]
    $Account
    )


    Process
    {  

        if($ComputerName -eq '.'){$ComputerName = (get-WmiObject win32_computersystem).Name}    
        $ComputerName = $ComputerName.ToUpper()


        $Domain = $env:USERDNSDOMAIN

        if($Domain){
            $adsi = [ADSI]"WinNT://$ComputerName/administrators,group"
            $adsi.add("WinNT://$Domain/$Account,group")
            }else{
            Write-Host "Not connected to a domain." -foregroundcolor "red"
            }


    }# Process


}# Set-LocalAdminGroupMembership
Community
  • 1
user46713
  • 88
  • 1
  • 5
3

Simple Step to add a domain user to the Administrators group:

Add-LocalGroupMember -Group Administrators -Member $env:USERDOMAIN\<username>

Note: Make sure you run PowerShell "As Administrator".

Mohamed Jawad
  • 131
  • 1
0

Here is another way to do this. This needs to be run in Administrator context:

$domain=""
$computername= "$env:computername"
$group=$computer.psbase.children.find("administrators")

function AddToGroup($number)
{
     $group.add("WinNT://"+$domain+"/"+$number )
}

#Add these domain users/groups to the local administrator group
 AddToGroup ""
 AddToGroup ""

#Add these domain computer accounts to the local administrator group. 
#Computer accounts always end with $.
AddToGroup "$"

More info on my website.

Glorfindel
  • 1,213
  • 3
  • 15
  • 22
Daniel Engberg
  • 1
0

Adding account that already exists in the target security group raises and error so you need to check if account is already added, however my requirement was to be backward compatible down to PowerShell v2.0

Below is the snippet I use to add a user to the local administrators group that works on older versions of PowerShell for Windows Servers prior 2016. The code example adds a service account used for custom IIS AppPool identity to the local Administrators group.

$appPoolIdentity = "DOMAIN\svc-acc-name"
# check if user is already member of the local administrators group - using case insensitive string comparison
if(((invoke-command {net localgroup administrators}) -match ($appPoolIdentity -replace '\\','\\')).Count -eq 0){
    Write-Host "The app pool identity user '$appPoolIdentity' is not found in the local 'Administrators' group."
    # add user to the local administrators group
    $adminGroup = [ADSI]("WinNT://$env:COMPUTERNAME/administrators,group")
    $adminGroup.Add("WinNT://$appPoolIdentity,user")
    Write-Warning "Added '$appPoolIdentity' to the local 'Administrators' group."
}else{
    Write-Host "The app pool identity user '$appPoolIdentity' is already member of local 'Administrators' group."
}

Credit for using net localgroup administrators in the if statement above goes to this blog post.

Emil
  • 101