DSC Script for adding a Domain group to local administrators group

This topic contains 1 reply, has 2 voices, and was last updated by  Daniel Krebs 1 year, 5 months ago.

  • Author
  • #60111



    I am looking for a simple DSC script (using Group Resource) which can be used to add multiple AD groups in to local administrators on multiple servers. Could someone pls help

  • #60196

    Daniel Krebs

    Please see if below works for you in a test environment. You'll need to work with certificates to properly secure the credential password.

    Configuration AddGroupMembers {
        param (
        Import-DscResource -ModuleName PSDesiredStateConfiguration -Name Group
        Node $AllNodes.NodeName { 
            Group AddGroupMembers {
                Ensure = 'Present'
                GroupName = $GroupName
                MembersToInclude = $MembersToInclude
                Credential = $Credential
    $ConfigData = @{
        AllNodes = @(
                # the name of the target node
                NodeName = 'localhost'
                # This is not recommended, only for testing purposes. Replace with Thumbprint and CertificateFile after testing.
                PsDscAllowPlainTextPassword = $true
                # Suppress warning: It is not recommended to use domain credential ...
                PSDscAllowDomainUser = $true
    $AddParams = @{
        GroupName = 'Event Log Readers'
        MembersToInclude = 'DOMAIN\my-group'
        Credential = (Get-Credential -Credential 'DOMAIN\admin user')
        ConfigurationData = $ConfigData
    AddGroupMembers @AddParams

    I hope that helps to get started. Additional details regarding the encryption can be found here: https://msdn.microsoft.com/en-us/powershell/dsc/secureMOF

    The online documentation for the Group resource is here: https://msdn.microsoft.com/en-us/powershell/dsc/groupresource

You must be logged in to reply to this topic.