Create server/clients admins groups

This topic contains 12 replies, has 3 voices, and was last updated by  Roger Ohlsson 1 week, 6 days ago.

  • Author
    Posts
  • #85043

    Roger Ohlsson
    Participant

    Hi.
    Need help to automate one manual process we have here, when a new server is installed we have one job to create a new server admins group and add it a existing server admins group. How can we automatic do this job through a script with a txt input file?

    Script should do:
    Create a new servername.admins domain group. The new group should be member of an already existing group called winservers.admins and add this new group to the local administrators group on the new server

  • #85048

    Olaf Soyk
    Participant

    Well, this forum isn't really about writing a script for you, but we're happy to try and answer questions! Did you have a specific question you wanted to start with?

    Also find prewritten scripts here: http://gallery.technet.microsoft.com/

    Learn PowerShell: https://mva.microsoft.com/en-us/training-courses/getting-started-with-microsoft-powershell-8276

    Script requests: https://gallery.technet.microsoft.com/scriptcenter/site/requests

  • #85052

    Roger Ohlsson
    Participant

    Hi.
    Yes i understand that you cant deliver a finish script for me. I just need guidelines how to start, havent got deep knowledge in powershell

    • #85063

      Olaf Soyk
      Participant
      Get-Command -Noun *localGroup* | Get-help

      for the local group part and

      Get-Command -Name *adgroup* | Get-Help

      for the AD group part.
      That's why I recommended to learn Powershell. There you would have learned how to search for command or for help. 😉

  • #85070

    Jon
    Participant

    So in theory you could have a text or csv file with the group names in it, get-content or import-csv is the command you want for that.

    New-Adgroup will create your groups

    Add-Adgroupmember Will add your new group to the current winservers.admins

    Depending on what version of powershell you are running you can use Add-Localgroupmember to add your domain group to the local admins group on the server, or you would need to use the old net commands i.e net localgroup.

  • #85097

    Roger Ohlsson
    Participant

    Hi.
    I did it after some google and get-help

    [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null
    $grp = [Microsoft.VisualBasic.Interaction]::InputBox("Enter a group name", "Group", "$env:GroupName")
    $dspr = [Microsoft.VisualBasic.Interaction]::InputBox("Enter a Description", "Description", "$env:Description")
    New-ADGroup $grp -GroupScope DomainLocal -GroupCategory Security -Path "ou=Groups,ou=C1,DC=domain,dc=int" -Description $dspr
    Start-Sleep -Seconds 9
    Get-ADGroup $grp
    Add-ADGroupMember -Identity $grp -Members ServerAdmins 
    
    • #85106

      Jon
      Participant

      You can use powershell to get those variables without using VB

      i.e

      $group = Read-Host "Enter group name"

      Also the below code is a bit redundant

      Get-ADGroup $grp
      Add-ADGroupMember -Identity $grp -Members ServerAdmins

      You can do this instead

      Add-ADGroupMember -Identity $grp -Members ServerAdmins
  • #85112

    Roger Ohlsson
    Participant

    I use Visual basic to get a popup-window to type in the name, yes i know about

    Get-ADGroup $grp
    Add-ADGroupMember -Identity $grp -Members ServerAdmins
    

    I just wanna get a confirm about the new group, now i have to solve the local administrators membership

  • #85135

    Roger Ohlsson
    Participant

    I have tried to make local administrators add to work with this, but it wont work

    
    $dgrp = $grp
    $localgrp = "Administrators"
    $client =  [Microsoft.VisualBasic.Interaction]::InputBox("Enter a Server name", "Group", "$env:computername")
    $domain = $env:USERDOMAIN
    
    ([ADSI]"WinNT://$client/$localgrp,group").psbase.Invoke("Add",
    ([ADSI]"WinNT://$domain/$dgrp").path)
    
  • #85144

    Jon
    Participant

    Did you look into any of the commands I mentioned earlier? net localgroup and add-localgroupmember?

    If you have powershell remoting enabled you could so something like

    Invoke-Command -ComputerName $computername -scriptblock {net localgroup administrators "domain\group" /add} 

    or if you have PS 5.1 installed on the servers

    Invoke-Command -ComputerName $computername -scriptblock {Add-Localgroupmember -Group Administrators -member "domain\group"} 
  • #85229

    Roger Ohlsson
    Participant

    I have tried net localgroup but i have to add the group $grp that i create in earlier in the script
    like net localgroup Administrators "domain\$grp" or "$grp" /add but will this ever work?

    • #85241

      Jon
      Participant

      Assuming you are running all of this from the same script, yes you can pass that $grp variable into net local command.

      Invoke-Command -ComputerName $computername -scriptblock {net localgroup administrators "domain\$grp /add"}
  • #85288

    Roger Ohlsson
    Participant

    Script is adding a domain local group to a global group, script cannot add the domain local group to local administrators, but if i change it to the nested global group it works.

You must be logged in to reply to this topic.