Powershell Adding an AD Group to a Server's local group. RRS feed

  • Question

  • Hi all, I've been stuck on this problem for three days now. I have searched the web with no real answer to be found. So here it is:

    I'm trying to write a script that does not need the activedirectory module so I'm using ADSI. I know I could fall back and use the "net add" command but I'm trying to figure out why what I am trying to do is not working.

    So I'm trying to add an AD Group to a Servers Local Administrator Group.

    $error[0]|format-list -force 
    $LocalGroupAdministratorsObj = [ADSI]"WinNT://$ServerName/Administrators,group"
    $Trustee = $ServerName+"_Administrators"
    $AdminADPath = "Domain.com/Directory Services/Logical/Groups/Server Admin Groups"
    $DomainGroup = [ADSI]"WinNT://$AdminADPath/$Trustee,group"

    This results in the following error:

    Exception             : System.Management.Automation.MethodInvocationException: Exception calling "add" with "1" argument(s): "Type mismatch. (Exception from HRESULT: 0x80020005 (DISP_E_TYPEMISMATCH))" ---> 
                            System.Runtime.InteropServices.COMException: Type mismatch. (Exception from HRESULT: 0x80020005 (DISP_E_TYPEMISMATCH))
                               --- End of inner exception stack trace ---
                               at System.Management.Automation.Adapter.BaseMethodInvoke(PSMethod method, PSMethodInvocationConstraints invocationConstraints, Object[] arguments)
                               at System.Management.Automation.PSMethod.Invoke(Object[] arguments)
                               at System.Dynamic.UpdateDelegates.UpdateAndExecute2[T0,T1,TRet](CallSite site, T0 arg0, T1 arg1)
                               at System.Management.Automation.Interpreter.DynamicInstruction`3.Run(InterpretedFrame frame)
                               at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
    TargetObject          : 
    CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI
    ErrorDetails          : 
    InvocationInfo        : System.Management.Automation.InvocationInfo
    ScriptStackTrace      : at <ScriptBlock>, C:\Users\...\Local.ps1: line 108
    PipelineIterationInfo : {}
    PSMessageDetails      : 
    Exception calling "add" with "1" argument(s): "Type mismatch. (Exception from HRESULT: 0x80020005 (DISP_E_TYPEMISMATCH))"
    At C:\Users\...\Local.ps1:103 char:9
    +         $LocalGroupAdministratorsObj.add($DomainGroup)
    +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
        + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI

    I have tried various other methods including inserting Credentials into the Servers Local Group object $LocalGroupAdministratorsObj such as here:

    $LocalGroupAdministratorsObj = [ADSI]"WinNT://$ServerName/Administrators,group,$($Credential.UserName),$($Credential.GetNetworkCredential().password)"

    Which also didn't help.
    I've also tried:


    To no avail.

    Any help here is appreciated. 


    • Edited by mlsmith2010 Thursday, November 10, 2016 7:29 PM
    • Moved by Bill_Stewart Thursday, March 23, 2017 9:12 PM Abandoned
    Thursday, November 10, 2016 7:28 PM

All replies

  • Hi Mike,

    Is your $domaingroup variable being assigned correctly? On my test domain, when I try and assign $domaingroup, I am getting an unknown error using [ADSI]. Wondering if you are also having issues assigning that variable?

    Thanks, Tim. | Please remember to mark the replies as answers if they help. |

    Thursday, November 17, 2016 11:59 AM
  • The domain group should be designated similar to "WinNT://MyDomain/MyGroup,group", where "MyDomain" is the NetBIOS name of the domain and "MyGroup" is the sAMAccountName (pre-Windows 2000 name) of the domain group. Remember, the WinNT provider reveals AD as a flat namespace. It recognizes no hierarchy. But sAMAccountName uniquely identifies the object in the domain.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, November 17, 2016 12:32 PM