Create server/clients admins groups

Welcome Forums General PowerShell Q&A Create server/clients admins groups

This topic contains 14 replies, has 3 voices, and was last updated by

 
Participant
9 months, 3 weeks ago.

  • Author
    Posts
  • #85043

    Participant
    Points: 1
    Rank: Member

    Hi.
    Need help to automate one manual process we have here, when a new server is installed we have one job to create a new server admins group and add it a existing server admins group. How can we automatic do this job through a script with a txt input file?

    Script should do:
    Create a new servername.admins domain group. The new group should be member of an already existing group called winservers.admins and add this new group to the local administrators group on the new server

  • #85048

    Participant
    Points: 246
    Helping Hand
    Rank: Participant

    Well, this forum isn't really about writing a script for you, but we're happy to try and answer questions! Did you have a specific question you wanted to start with?

    Also find prewritten scripts here: http://gallery.technet.microsoft.com/

    Learn PowerShell: https://mva.microsoft.com/en-us/training-courses/getting-started-with-microsoft-powershell-8276

    Script requests: https://gallery.technet.microsoft.com/scriptcenter/site/requests

  • #85052

    Participant
    Points: 1
    Rank: Member

    Hi.
    Yes i understand that you cant deliver a finish script for me. I just need guidelines how to start, havent got deep knowledge in powershell

    • #85063

      Participant
      Points: 246
      Helping Hand
      Rank: Participant
      Get-Command -Noun *localGroup* | Get-help

      for the local group part and

      Get-Command -Name *adgroup* | Get-Help

      for the AD group part.
      That's why I recommended to learn Powershell. There you would have learned how to search for command or for help. 😉

  • #85070
    Jon

    Participant
    Points: 35
    Rank: Member

    So in theory you could have a text or csv file with the group names in it, get-content or import-csv is the command you want for that.

    New-Adgroup will create your groups

    Add-Adgroupmember Will add your new group to the current winservers.admins

    Depending on what version of powershell you are running you can use Add-Localgroupmember to add your domain group to the local admins group on the server, or you would need to use the old net commands i.e net localgroup.

  • #85097

    Participant
    Points: 1
    Rank: Member

    Hi.
    I did it after some google and get-help

    [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null
    $grp = [Microsoft.VisualBasic.Interaction]::InputBox("Enter a group name", "Group", "$env:GroupName")
    $dspr = [Microsoft.VisualBasic.Interaction]::InputBox("Enter a Description", "Description", "$env:Description")
    New-ADGroup $grp -GroupScope DomainLocal -GroupCategory Security -Path "ou=Groups,ou=C1,DC=domain,dc=int" -Description $dspr
    Start-Sleep -Seconds 9
    Get-ADGroup $grp
    Add-ADGroupMember -Identity $grp -Members ServerAdmins 
    
    • #85106
      Jon

      Participant
      Points: 35
      Rank: Member

      You can use powershell to get those variables without using VB

      i.e

      $group = Read-Host "Enter group name"

      Also the below code is a bit redundant

      Get-ADGroup $grp
      Add-ADGroupMember -Identity $grp -Members ServerAdmins

      You can do this instead

      Add-ADGroupMember -Identity $grp -Members ServerAdmins
  • #85112

    Participant
    Points: 1
    Rank: Member

    I use Visual basic to get a popup-window to type in the name, yes i know about

    Get-ADGroup $grp
    Add-ADGroupMember -Identity $grp -Members ServerAdmins
    

    I just wanna get a confirm about the new group, now i have to solve the local administrators membership

  • #85135

    Participant
    Points: 1
    Rank: Member

    I have tried to make local administrators add to work with this, but it wont work

    
    $dgrp = $grp
    $localgrp = "Administrators"
    $client =  [Microsoft.VisualBasic.Interaction]::InputBox("Enter a Server name", "Group", "$env:computername")
    $domain = $env:USERDOMAIN
    
    ([ADSI]"WinNT://$client/$localgrp,group").psbase.Invoke("Add",
    ([ADSI]"WinNT://$domain/$dgrp").path)
    
  • #85144
    Jon

    Participant
    Points: 35
    Rank: Member

    Did you look into any of the commands I mentioned earlier? net localgroup and add-localgroupmember?

    If you have powershell remoting enabled you could so something like

    Invoke-Command -ComputerName $computername -scriptblock {net localgroup administrators "domain\group" /add} 

    or if you have PS 5.1 installed on the servers

    Invoke-Command -ComputerName $computername -scriptblock {Add-Localgroupmember -Group Administrators -member "domain\group"} 
  • #85229

    Participant
    Points: 1
    Rank: Member

    I have tried net localgroup but i have to add the group $grp that i create in earlier in the script
    like net localgroup Administrators "domain\$grp" or "$grp" /add but will this ever work?

    • #85241
      Jon

      Participant
      Points: 35
      Rank: Member

      Assuming you are running all of this from the same script, yes you can pass that $grp variable into net local command.

      Invoke-Command -ComputerName $computername -scriptblock {net localgroup administrators "domain\$grp /add"}
  • #85288

    Participant
    Points: 1
    Rank: Member

    Script is adding a domain local group to a global group, script cannot add the domain local group to local administrators, but if i change it to the nested global group it works.

  • #93901

    Participant
    Points: 1
    Rank: Member

    Hi Again.
    Im still struggle with this, i can create the group and get the nesting working, but when to add the new group to local Administrators it halt.
    Script looks like this:

    #[System.Threading.Thread]::CurrentThread.GetApartmentState()
    [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null
    $grp = [Microsoft.VisualBasic.Interaction]::InputBox("Fyll i gruppnamn", "Group", "$env:GroupName")
    $dspr = [Microsoft.VisualBasic.Interaction]::InputBox("Fyll i beskrivning", "Description", "$env:Description")
    $comp = [Microsoft.VisualBasic.Interaction]::InputBox("Fyll i Datornamn", "Computer", "$env:ComputerName")
    
    New-ADGroup $grp -GroupScope DomainLocal -GroupCategory Security -Path "ou=Groups,ou=domain,DC=domain,dc=int" -Description $dspr
    Start-Sleep -Seconds 15
    Get-ADGroup $grp
    Add-ADGroupMember -Identity $grp -Members NewAdmins
    Start-Sleep -Seconds 11
    #$DomainName = Get-ADDomain
    #Get-Host $comp
    $AdminGroup = [ADSI]"WinNT://$Comp/Administrators,group"
    $grp = [ADSI]"WinNT://$DomainName/$grp,group"
    $AdminGroup.Add($grp.Path)
    

    When running this script i get error:
    Exception calling "Add" with "1" argument(s): "An invalid directory pathname was passed
    "
    At line:16 char:1
    + $AdminGroup.Add($grp.Path)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI

    Have try using

    Invoke-Command -ComputerName $computer -scriptblock {net localgroup "administrators" "domain\$grp" /add}
    

    Instead of ADSI,Get error
    "NotSpecified: (The syntax of this command is::String) [], RemoteException"

  • #93907

    Participant
    Points: 1
    Rank: Member

    When i skip the VB style and just use read-host and put in some vaules in $DomainName i got the script working

The topic ‘Create server/clients admins groups’ is closed to new replies.