How Can I Add a Domain Group to the Local Administrators Group?

How Can I Add a Domain Group to the Local Administrators Group?

  • Comments 3
  • Likes

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I add a domain group to the local Administrators group?

-- SS

SpacerHey, Scripting Guy! AnswerScript Center

Hey, SS. You know, people think of the Scripting Guys as striding powerfully through the world of system administration scripting, confident, almost-arrogant in the knowledge that they can meet any challenge thrown at them. We like to think of ourselves as being that way, too, even though we know it isn’t true. Confident, almost-arrogant in the knowledge that we can meet any challenge thrown at us? Well ….

Take this question for example. Awhile back we answered a similar question, explaining how a domain user could be added to the local Administrators group on a computer. We expected that, if anything, we’d get a few emails from people saying, “Thanks; that answered my question.” Instead, we got a flood of emails from people saying, “OK, sure. But how do you add a domain group to the local Administrators group?” In turn, that got us a little worried. Does that mean you have to use a different approach to add a domain group to the local Administrators group? Oh my gosh: how do you add a domain group to the local Administrators group?

Faced with a challenge thrown at us, we did what we usually do in that situation: we acted as though the problem never existed. In the past couple of weeks, however, we’ve gotten several more emails on the subject, and we decided that it was time to meet the challenge head-on.

And guess what? It turns out that to add a domain group to the local Administrators group you use the exact same approach you use when adding a domain user to the local Administrators group:

strComputer = "atl-ws-01"

Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
Set objGroup = GetObject("WinNT://fabrikam/accounting")

objAdmins.Add(objGroup.ADsPath)

This script begins by assigning the name of the local computer (in this case, atl-ws-01) to a variable named strComputer. We then use this line of code to bind to the local Administrators group on atl-ws-01:

Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")

Now comes the one tricky part. We need to create a second object reference by binding to the domain group. When you bind to a group in Active Directory you typically use an ADsPath similar to this:

Set objGroup = GetObject("LDAP://cn=accounting, ou=finance, dc=fabrikam, dc=com")

However, we can’t use a binding string like that in this script. Why not? Well, because we’re working with a local account (the local Administrators group), so we need to use the WinNT provider; for better or worse, the WinNT provider has no idea what something like cn=accounting, ou=finance, dc=fabrikam, dc=com means. Therefore, we have to use an old-fashioned, Windows NT 4.0 binding string, making a connection using the domain_name/logon_name format:

Set objGroup = GetObject("WinNT://fabrikam/accounting")

It’s something you’re not used to doing, but it works.

Note. OK, Scripting Guys, it looks like it’s easier to use the WinNT provider to bind to Active Directory than to use the LDAP provider to bind to Active Directory; if that’s the case, then why don’t we always use the WinNT provider to bind to an Active Directory object? That’s easy. If you bind to an Active Directory object using the LDAP provider you have access to all the Active Directory properties of that object; in the case of a user account, that’s over 200 properties you can read and write. If you bind using the WinNT provider, however, you get access only to the Windows NT properties of that object; for a user account, that amounts to only 20 or so properties. To get to the Active Directory attributes of an object you have to use the LDAP provider. We can use the WinNT provider here because all we need is an object reference; we don’t need any of the properties associated with the account.

As soon as we have an object reference that the WinNT provider understands all we have to do is call the Add method to add the domain group to the local Administrators group:

objAdmins.Add(objGroup.ADsPath)

Just the way we always knew it would work.

Well, OK, just the well we always expected it would work.

OK, just the way we always hoped it would work.

Fine, just the way …. Well, the point is, it does work. And that’s all that really matters.


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Ok, this is great but what if you have 2 deferent domains with the same structure and you would like the script to see what domain the computer is a part of before it adds the group to the local Administrators group?

  • I need to run this on a domain joined computer and run it as the local administrator. However, I can't query AD to see the domain group. I get "Access Denied" How do I pass the needed credentials?
    Please don't say "GPO" I need a script, scripting guy!

  • thank you