Windows – powershell: add user to local admin group

powershellwindows

i am trying to create user on remote machine by powershell. Once account created i want to add that in local admin group.

Account is getting created but it is not getting added in admin group.
Below is the code which i am using.

  cls
  $username = "test_user"
$password = "password"
$computer1 = hostname
  $users = $null
   $computer = [ADSI]“WinNT://$computer1”
   Try {
      $users = $computer.psbase.children | select -expand name  
      if ($users -like $username) {
         Write-Host "$username already exists"
      } Else {
         $user_obj = $computer.Create(“user”, “$username”)
         $user_obj.SetPassword($password)
         $user_obj.SetInfo()

         $user_obj.Put(“description”, “$username”)
         $user_obj.SetInfo()
         $user_obj.psbase.invokeset(“AccountDisabled”, “False”)
         $user_obj.SetInfo()
         $users = $computer.psbase.children | select -expand name
         if ($users -like $username) {
            Write-Host "$username has been created on $($computer.name)"

      $group = [ADSI]("WinNT://"+$env:COMPUTERNAME+"/administrators,group")
$group.add("WinNT://$env:localhost/$username,user")


         } Else {


            Write-Host "$username has not been created on $($computer.name)"
         }
      }
   } Catch {
      Write-Host "Error creating $username on $($computer.path):  $($Error[0].Exception.Message)"
   }

Please advise what am i doing wrong.

Best Answer

Actually the script that was copied and pasted does not work at all.

It has invalid double quotes: “ and ”

It references the local computer in three different ways:

[ADSI]“WinNT://$computer1”
[ADSI]("WinNT://"+$env:COMPUTERNAME+"
WinNT://$env:localhost/

There are several occurrences where text is not quoted properly and separated/concatenated with variables.

This works:

cls
$username = "test_user"
$password = "zlug7nPn5$"
$computername = "ComputerName"
$users = $null
$computer = [ADSI]"WinNT://$computername"
Try {
   $users = $computer.psbase.children | select -expand name
   if ($users -like $username) {
      Write-Host "$username already exists"
   } Else {
      $user_obj = $computer.Create("user", "$username")
      $user_obj.SetPassword($password)
      $user_obj.SetInfo()

      $user_obj.Put("description", "$username")
      $user_obj.SetInfo()
      $user_obj.psbase.invokeset("AccountDisabled", "False")
      $user_obj.SetInfo()
      $users = $computer.psbase.children | select -expand name
      if ($users -like $username) {
         Write-Host "$username has been created on $($computer.name)"

      $group = [ADSI]("WinNT://"+$computername+"/administrators,group")
      $group.add("WinNT://"+$computername+"/"+$username+",user")
      } Else {
         Write-Host "$username has not been created on $($computer.name)"
      }
   }
} Catch {
   Write-Host "Error creating $username on $($computer.path):  $($Error[0].Exception.Message)"
}

Related Solutions

Powershell – After adding new user to AD via Powershell script, have to reset password

Actually, I just figured out what it was. I was passing in -assecurestring but it wasn't actually returning the password I entered. Apparently I was barking up the wrong tree. :) Thanks for your time!

Powershell – (Powershell) Method to return a list of groups where a specific user has ‘write member’ security

There are two problems here.

The CMDlet Get-QADPermission is writing directly to the console during execution which is why you're seeing Permissions for: .... Since your pipeline is writing to the same output, it all gets mixed together. Store the output from your pipeline to a variable instead.
When you pipe the group into Get-QADPermission, you're throwing away the group object and getting a permissions object instead. If you want to keep the original object, you need to filter with Where-Object.

Also, be careful with Get-QADPermission. If you only query for WriteProperty, it won't return results with both Read+Write access. Usually you want to query for both. And in most cases, you also want to use -Inherited to get permissions granted from parent OU's. If you're really looking for once-off permissions, then you can ignore this switch.

function Test-UserCanModifyGroupsInOU ($Username, $OU)
{
  $results = Get-QADGroup -SearchScope 'OneLevel' -SearchRoot $OU |
    Where-Object {
      $_ | Get-QADPermission -Rights ReadProperty,WriteProperty -Property member -Account $username
    } |
    Select @{Name="User";Expression={$username}}, @{Name="Group";Expression={$_.Name}}
  $results | Write-Output
  $results | Export-Csv "$username.csv"
}

@("bob","sally") |
  ForEach-Object {
    Test-UserCanModifyGroupsInOU -Username $_ -OU 'domain.org.com/path/to/OU'
  }

Also note that this only works for permissions on specific properties. It won't return results for a user that has "Full Control" on the group, even though they're stil allowed to modify the member attribute.

Best Answer

Related Solutions

Powershell – After adding new user to AD via Powershell script, have to reset password

Powershell – (Powershell) Method to return a list of groups where a specific user has ‘write member’ security

Related Topic