none
Adding domain user to local administrator group

    Question

  • Hello. I've made a script that is supposed to add a domain user to a computers local administrator group. When running this script I get the "No Access" error message, even though the user that is running the script has the rights to add users to this group (can do it through graphical interface).

    I've made a script that does it remotely, and that works. My question is therefore: Why doesn't it work to run it locally on the same computer where you want to add the domain user to the administrator group?

    Here is my script:

    trap [Exception] {
        $dato = Get-Date -Format F
        $error1 = "Brukernavn: " + $brukerNavn
        $error2 = "Feil: " + $_.Exception.GetType().FullName;
        $error3 = "Feilmelding: " + $_.Exception.Message;
        $dato >> $($logFile)
        $error1 >> $($logfile)
        $error2 >> $($logFile)
        $error3 >> $($logFile)
        break;
    }

    $logFile = "C:\Temp\" + $pcNavn + ".log"

    $pcNavn = gc env:computername
    $brukerNavn = gwmi "Win32_ComputerSystem" | ForEach-Object {$_.UserName}
    $OSLanguage = gwmi "Win32_OperatingSystem" | ForEach-Object {$_.OSLanguage}

    #Norsk
    if($OSLanguage -eq "1044")
    {
        $gruppeNavn = "Administratorer"
    }
    #Andre
    else
    {
        $gruppeNavn = "Administrators"
    }

    $group = [ADSI]"WinNT://$pcNavn/$gruppeNavn,group"
    $members = $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}

    if($members -notcontains "domainuser")
    {
        $group.Add(“WinNT://domainname/domainuser”)
    }

    Thank you in advance.

    Wednesday, June 30, 2010 12:25 PM

Answers


  •  Hi,

    Please try the following sample scripts and let us know the result.

    $objUser = [ADSI]("WinNT://fabrikam/kenmyer")
    $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators")

    $objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)

    Or:

    $computerName = Read-Host 'Enter computer name or press <Enter> for localhost'
    $userName = Read-Host 'Enter user name'
    $localGroupName = Read-Host 'Enter local group name'
     
    if ($computerName -eq "") {$computerName = "$env:computername"}
    [string]$domainName = ([ADSI]'').name
    ([ADSI]"WinNT://$computerName/$localGroupName,group").Add("WinNT://$domainName/$userName")
     
    Write-Host "User $domainName\$userName is now member of local group $localGroupName on $computerName."

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 2, 2010 9:34 AM

All replies

  • Definitely seems like a "head scratcher"....  Same versions of PowerShell on both machines that you've tried it from?

    Wednesday, June 30, 2010 2:10 PM
    Moderator
  • Yes, both run PowerShell 2.0.
    Wednesday, June 30, 2010 2:28 PM

  •  Hi,

    Please try the following sample scripts and let us know the result.

    $objUser = [ADSI]("WinNT://fabrikam/kenmyer")
    $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators")

    $objGroup.PSBase.Invoke("Add",$objUser.PSBase.Path)

    Or:

    $computerName = Read-Host 'Enter computer name or press <Enter> for localhost'
    $userName = Read-Host 'Enter user name'
    $localGroupName = Read-Host 'Enter local group name'
     
    if ($computerName -eq "") {$computerName = "$env:computername"}
    [string]$domainName = ([ADSI]'').name
    ([ADSI]"WinNT://$computerName/$localGroupName,group").Add("WinNT://$domainName/$userName")
     
    Write-Host "User $domainName\$userName is now member of local group $localGroupName on $computerName."

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, July 2, 2010 9:34 AM
  • Neither of the things you proposed worked. They all returned "No Access". However, when running the script on some other computers in a test environment my original script worked. 

    Still cannot figure out why it didn't work on that one computer though. 

    Saturday, July 3, 2010 9:24 AM
  • What OS's?
    If at first you don't succeed Step-Into

    http://theposherlife.blogspot.com
    http://www.jandctravels.com

    Monday, July 5, 2010 5:21 PM
  • Win7 64bit. 
    Monday, July 5, 2010 5:37 PM
  • Have you disabled UAC on the local computer, or run as administrator for the PoSh session?
    If at first you don't succeed Step-Into

    http://theposherlife.blogspot.com
    http://www.jandctravels.com

    Monday, July 5, 2010 7:29 PM
  • UAC is disabled, but I did not run PowerShell as administrator (however the user is the administrator). That might be the reason!
    Tuesday, July 6, 2010 8:25 AM
  • I don't think so, but give it a try.  I may try to reproduce this, but it could be a few days for me.
    Tuesday, July 6, 2010 8:47 AM
    Moderator

  • It seems there is something wrong with your system. Please try to monitor the process for troubleshooting:

    If the problem still occurs, let’s use Process Monitor to trace the process:

    Process Monitor
    http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx   

    Download and run it. Click File menu, check Capture Events, try to reproduce this error, when the error occurs, uncheck Capture Events again. Exported events to Logfile.PML and upload the file to Windows Live SkyDrive (http://www.skydrive.live.com/). If you would like other community member to analyze the report, you can paste the link here, if not, you can send the link to tfwst@microsoft.com.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, July 7, 2010 7:18 AM
  • Windows7 x64, Mervyn's code works for me.
    Shay Levy [MVP]
    http://blogs.microsoft.co.il/blogs/ScriptFanatic
    PowerShell Toolbar
    Wednesday, July 7, 2010 10:27 AM
    Moderator