DSC Script for adding a Domain group to local administrators group

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Daniel Krebs Daniel Krebs 3 months, 2 weeks ago.

  • Author
    Posts
  • #60111
    Profile photo of Nimesh
    Nimesh
    Participant

    Hello,

    I am looking for a simple DSC script (using Group Resource) which can be used to add multiple AD groups in to local administrators on multiple servers. Could someone pls help

  • #60196
    Profile photo of Daniel Krebs
    Daniel Krebs
    Participant

    Please see if below works for you in a test environment. You'll need to work with certificates to properly secure the credential password.

    Configuration AddGroupMembers {
    
        param (
            [Parameter(Mandatory)]
            [System.String]
            $GroupName,
    
            [Parameter(Mandatory)]
            [System.String[]]
            $MembersToInclude,
    
            [Parameter(Mandatory)]
            [System.Management.Automation.PSCredential]
            $Credential
        )
    
        Import-DscResource -ModuleName PSDesiredStateConfiguration -Name Group
    
        Node $AllNodes.NodeName { 
            Group AddGroupMembers {
                Ensure = 'Present'
                GroupName = $GroupName
                MembersToInclude = $MembersToInclude
                Credential = $Credential
            }
        }
    }
    
    $ConfigData = @{
        AllNodes = @(
            @{
                # the name of the target node
                NodeName = 'localhost'
    
                # This is not recommended, only for testing purposes. Replace with Thumbprint and CertificateFile after testing.
                PsDscAllowPlainTextPassword = $true
    
                # Suppress warning: It is not recommended to use domain credential ...
                PSDscAllowDomainUser = $true
            }
        )
    }
    
    $AddParams = @{
        GroupName = 'Event Log Readers'
        MembersToInclude = 'DOMAIN\my-group'
        Credential = (Get-Credential -Credential 'DOMAIN\admin user')
        ConfigurationData = $ConfigData
    }
    AddGroupMembers @AddParams
    

    I hope that helps to get started. Additional details regarding the encryption can be found here: https://msdn.microsoft.com/en-us/powershell/dsc/secureMOF

    The online documentation for the Group resource is here: https://msdn.microsoft.com/en-us/powershell/dsc/groupresource

You must be logged in to reply to this topic.