Author Posts

November 28, 2017 at 11:29 am

Hi.
Need help to automate one manual process we have here, when a new server is installed we have one job to create a new server admins group and add it a existing server admins group. How can we automatic do this job through a script with a txt input file?

Script should do:
Create a new servername.admins domain group. The new group should be member of an already existing group called winservers.admins and add this new group to the local administrators group on the new server

November 28, 2017 at 12:03 pm

Well, this forum isn't really about writing a script for you, but we're happy to try and answer questions! Did you have a specific question you wanted to start with?

Also find prewritten scripts here: http://gallery.technet.microsoft.com/

Learn PowerShell: https://mva.microsoft.com/en-us/training-courses/getting-started-with-microsoft-powershell-8276

Script requests: https://gallery.technet.microsoft.com/scriptcenter/site/requests

November 28, 2017 at 1:08 pm

Hi.
Yes i understand that you cant deliver a finish script for me. I just need guidelines how to start, havent got deep knowledge in powershell

November 28, 2017 at 3:31 pm

Get-Command -Noun *localGroup* | Get-help

for the local group part and

Get-Command -Name *adgroup* | Get-Help

for the AD group part.
That's why I recommended to learn Powershell. There you would have learned how to search for command or for help. 😉

November 28, 2017 at 4:17 pm

So in theory you could have a text or csv file with the group names in it, get-content or import-csv is the command you want for that.

New-Adgroup will create your groups

Add-Adgroupmember Will add your new group to the current winservers.admins

Depending on what version of powershell you are running you can use Add-Localgroupmember to add your domain group to the local admins group on the server, or you would need to use the old net commands i.e net localgroup.

November 28, 2017 at 8:04 pm

Hi.
I did it after some google and get-help

[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null
$grp = [Microsoft.VisualBasic.Interaction]::InputBox("Enter a group name", "Group", "$env:GroupName")
$dspr = [Microsoft.VisualBasic.Interaction]::InputBox("Enter a Description", "Description", "$env:Description")
New-ADGroup $grp -GroupScope DomainLocal -GroupCategory Security -Path "ou=Groups,ou=C1,DC=domain,dc=int" -Description $dspr
Start-Sleep -Seconds 9
Get-ADGroup $grp
Add-ADGroupMember -Identity $grp -Members ServerAdmins 

November 28, 2017 at 8:21 pm

You can use powershell to get those variables without using VB

i.e

$group = Read-Host "Enter group name"

Also the below code is a bit redundant

Get-ADGroup $grp
Add-ADGroupMember -Identity $grp -Members ServerAdmins

You can do this instead

Add-ADGroupMember -Identity $grp -Members ServerAdmins

November 28, 2017 at 8:29 pm

I use Visual basic to get a popup-window to type in the name, yes i know about

Get-ADGroup $grp
Add-ADGroupMember -Identity $grp -Members ServerAdmins

I just wanna get a confirm about the new group, now i have to solve the local administrators membership

November 29, 2017 at 8:43 am

I have tried to make local administrators add to work with this, but it wont work


$dgrp = $grp
$localgrp = "Administrators"
$client =  [Microsoft.VisualBasic.Interaction]::InputBox("Enter a Server name", "Group", "$env:computername")
$domain = $env:USERDOMAIN

([ADSI]"WinNT://$client/$localgrp,group").psbase.Invoke("Add",
([ADSI]"WinNT://$domain/$dgrp").path)

November 29, 2017 at 12:50 pm

Did you look into any of the commands I mentioned earlier? net localgroup and add-localgroupmember?

If you have powershell remoting enabled you could so something like

Invoke-Command -ComputerName $computername -scriptblock {net localgroup administrators "domain\group" /add} 

or if you have PS 5.1 installed on the servers

Invoke-Command -ComputerName $computername -scriptblock {Add-Localgroupmember -Group Administrators -member "domain\group"} 

November 30, 2017 at 6:44 am

I have tried net localgroup but i have to add the group $grp that i create in earlier in the script
like net localgroup Administrators "domain\$grp" or "$grp" /add but will this ever work?

November 30, 2017 at 12:27 pm

Assuming you are running all of this from the same script, yes you can pass that $grp variable into net local command.

Invoke-Command -ComputerName $computername -scriptblock {net localgroup administrators "domain\$grp /add"}

November 30, 2017 at 8:07 pm

Script is adding a domain local group to a global group, script cannot add the domain local group to local administrators, but if i change it to the nested global group it works.

February 17, 2018 at 9:10 am

Hi Again.
Im still struggle with this, i can create the group and get the nesting working, but when to add the new group to local Administrators it halt.
Script looks like this:

#[System.Threading.Thread]::CurrentThread.GetApartmentState()
[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null
$grp = [Microsoft.VisualBasic.Interaction]::InputBox("Fyll i gruppnamn", "Group", "$env:GroupName")
$dspr = [Microsoft.VisualBasic.Interaction]::InputBox("Fyll i beskrivning", "Description", "$env:Description")
$comp = [Microsoft.VisualBasic.Interaction]::InputBox("Fyll i Datornamn", "Computer", "$env:ComputerName")

New-ADGroup $grp -GroupScope DomainLocal -GroupCategory Security -Path "ou=Groups,ou=domain,DC=domain,dc=int" -Description $dspr
Start-Sleep -Seconds 15
Get-ADGroup $grp
Add-ADGroupMember -Identity $grp -Members NewAdmins
Start-Sleep -Seconds 11
#$DomainName = Get-ADDomain
#Get-Host $comp
$AdminGroup = [ADSI]"WinNT://$Comp/Administrators,group"
$grp = [ADSI]"WinNT://$DomainName/$grp,group"
$AdminGroup.Add($grp.Path)

When running this script i get error:
Exception calling "Add" with "1" argument(s): "An invalid directory pathname was passed
"
At line:16 char:1
+ $AdminGroup.Add($grp.Path)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI

Have try using

Invoke-Command -ComputerName $computer -scriptblock {net localgroup "administrators" "domain\$grp" /add}

Instead of ADSI,Get error
"NotSpecified: (The syntax of this command is::String) [], RemoteException"

February 17, 2018 at 10:01 am

When i skip the VB style and just use read-host and put in some vaules in $DomainName i got the script working