My Technical Notes

Thursday, 7 July 2016

Adding User to Local Administrators Group using Powershell

The following script, which needs to be run as administrator, adds a user to the administrators group using Powershell:


$group = [ADSI]("WinNT://$( $env:COMPUTERNAME )/administrators,group")
$group.add("WinNT:///,user")

Replace `<domain>` with the domain and `<username>` with the username.

The following script will add the user to the administrators group, if they are not already a member, and then logoff:


$ErrorActionPreference = "Stop"; # stop on first error
$domain = "..."; # set this to the domain
$username = "..."; # set this to the username
$group = [ADSI]("WinNT://$( $env:COMPUTERNAME )/administrators,group")
if ($group.ismember("WinNT://$domain/$username")) {
 Write-Host "User is already an administrator" -ForegroundColor Green
} else {
 $group.add("WinNT://$domain/$username,user");
 Write-Host "Added user to administrators" -ForegroundColor Green
}

Write-Host "Logging off..." -ForegroundColor Green
Start-Sleep -Milliseconds 2000
logoff

To run this script as a desktop shortcut, we set the target to:


powershell.exe -command "& c:\path\to\MakeUserAdmin.ps1"

It will automatically resolve the `powershell.exe` to the full path of the Powershell executable.

Lastly, we can set the icon of the shortcut to an icon found in:


c:\Windows\System32\imageres.dll

Task Scheduler

This script can be run using the Task Scheduler. Use `Action` -> `Create Task`.

The following simplified script can be used:


$ErrorActionPreference = "Stop" # stop on first error
$domain = "...";
$username = "...";
$group = [ADSI]("WinNT://$( $env:COMPUTERNAME )/administrators,group")
if (-not ($group.ismember("WinNT://$domain/$username"))) {
    $group.add("WinNT://$domain/$username,user");
}

Follow the referenced guide. Make sure the following is true:

  • On the General tab, make sure "Run with highest privileges" is ticked.
  • On the General tab, Select "Run whether user is logged on or not"
  • On the General tab, on the Security Options bit, click on the "Change User or Group..." button and select the administator user.
  • Add a trigger, whereon the "Begin the task:" says "At startup".
  • Use the following batch file to run it

powershell.exe -command "& C:\path\to\MakeUserAdmin.ps1"

No comments: