Adding a user to the local Administrator group using powershell

Question

I would like to use PowerShell to add a specific user to the local administrator group on a machine. I would be running the PowerShell script in the context of a user that has Administration rights on the local machine.

Peter Hahndorf · Answer 1 · 2016-08-03T08:49:13.217

31

On Server 2016 and Windows 10 Version 1607 and later you can use the new PowerShell local user cmdlets:

Add-LocalGroupMember -Group Administrators -Member username

This was added in Windows Management Framework (WMF) 5.1.

The Microsoft.PowerShell.LocalAccounts module works fine on 2012 R2 if you just copy the files into a $env:PsModulePath location.

edited Aug 03 '16 at 08:49

answered Jul 08 '16 at 10:29

Peter Hahndorf

14,516

score 16 · Answer 2 · edited Apr 04 '17 at 13:14

Here is a simple 2 line script that performs this function

$group = [ADSI]("WinNT://"+$env:COMPUTERNAME+"/administrators,group")
$group.add("WinNT://$env:USERDOMAIN/usernameiwantoadd,user")

For more information see Hey, Scripting Guy! How Can I Use Windows PowerShell to Add a Domain User to a Local Group?

So there are a couple of notes. In the first line I used string concatenation, I didn't have to (see the next line) but I like to because it helps accentuate the variables I am using. Second, these lines will add a domain user, if you wanted to add a local user just remove $env:USERDOMAIN/

score 6 · Accepted Answer · edited Dec 04 '12 at 22:49

This is the Advanced Function That I use to add a users to the local Administrator group using Powershell on several computers.

Usage: Get-Content C:\Computers.txt | Set-LocalAdminGroupMembership -Account 'YourAccount'

Function Global:Set-LocalAdminGroupMembership
{


    <#
    .Synopsis

    .Description

    .Parameter $ComputerName,

    .Example
     PS> Set-LocalAdminGroupMembership -ComputerName $ComputerName -Account 'YourAccount'

    .Link
     about_functions
     about_functions_advanced
     about_functions_advanced_methods
     about_functions_advanced_parameters

    .Notes
     NAME:      Set-LocalAdminGroupMembership
     AUTHOR:    Innotask.com\dmiller
     LASTEDIT:  2/4/2010 2:30:05 PM
     #Requires -Version 2.0
    #>



    [CmdletBinding()]
    param(
    [Parameter(Position=0, ValueFromPipeline=$true)]
    $ComputerName = '.',
    [Parameter(Position=1, Mandatory=$true)]
    $Account
    )


    Process
    {  

        if($ComputerName -eq '.'){$ComputerName = (get-WmiObject win32_computersystem).Name}    
        $ComputerName = $ComputerName.ToUpper()


        $Domain = $env:USERDNSDOMAIN

        if($Domain){
            $adsi = [ADSI]"WinNT://$ComputerName/administrators,group"
            $adsi.add("WinNT://$Domain/$Account,group")
            }else{
            Write-Host "Not connected to a domain." -foregroundcolor "red"
            }


    }# Process


}# Set-LocalAdminGroupMembership

score 3 · Answer 4 · answered Jan 18 '21 at 08:44

3

Simple Step to add a domain user to the Administrators group:

Add-LocalGroupMember -Group Administrators -Member $env:USERDOMAIN\<username>

Note: Make sure you run PowerShell "As Administrator".

answered Jan 18 '21 at 08:44

jawad846

131

score 0 · Answer 5 · edited Apr 04 '17 at 13:23

Here is another way to do this. This needs to be run in Administrator context:

$domain=""
$computername= "$env:computername"
$group=$computer.psbase.children.find("administrators")

function AddToGroup($number)
{
     $group.add("WinNT://"+$domain+"/"+$number )
}

#Add these domain users/groups to the local administrator group
 AddToGroup ""
 AddToGroup ""

#Add these domain computer accounts to the local administrator group. 
#Computer accounts always end with $.
AddToGroup "$"

More info on my website.

score 0 · Answer 6 · answered Nov 21 '19 at 16:50

Adding account that already exists in the target security group raises and error so you need to check if account is already added, however my requirement was to be backward compatible down to PowerShell v2.0

Below is the snippet I use to add a user to the local administrators group that works on older versions of PowerShell for Windows Servers prior 2016. The code example adds a service account used for custom IIS AppPool identity to the local Administrators group.

$appPoolIdentity = "DOMAIN\svc-acc-name"
# check if user is already member of the local administrators group - using case insensitive string comparison
if(((invoke-command {net localgroup administrators}) -match ($appPoolIdentity -replace '\\','\\')).Count -eq 0){
    Write-Host "The app pool identity user '$appPoolIdentity' is not found in the local 'Administrators' group."
    # add user to the local administrators group
    $adminGroup = [ADSI]("WinNT://$env:COMPUTERNAME/administrators,group")
    $adminGroup.Add("WinNT://$appPoolIdentity,user")
    Write-Warning "Added '$appPoolIdentity' to the local 'Administrators' group."
}else{
    Write-Host "The app pool identity user '$appPoolIdentity' is already member of local 'Administrators' group."
}

Credit for using net localgroup administrators in the if statement above goes to this blog post.

Adding a user to the local Administrator group using powershell

6 Answers6

Linked