How to script adding global groups to local groups on multiple computers

Hello everyone.

I'm not scripting expert like most of you in here and thus could use your help.

I'm trying to add a domain global group and several other user accounts to the the local administrators group on several servers.  I know how to add one group to one server using the command below.

net localgroup administrators domain\group /add

This works great.  My question is how would I word a script/batch file to do that plus several other domain groups and users and then be able to apply that to a list of servers?

Let me know if you need further explanation.  I would prefer a solution using some form of script and not group policy.

Thanks,

Brian
LVL 20
BrianIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Eagle6990Commented:
Open up Notepad and use that command several times to add each group you are wanting to add.  Just put each one on a separate line.  When you are finished, save the file as Whatever.bat and make sure you change the "Save as type" from Text to All Files.

Now you should have an automated batch file that will add the groups to whatever computer it is run on.

Then create a Group Policy Object with Active Directory Users and Computers.   In the "Computer Configuration" section go to Windows Settings>scripts>Startup and add the batch file you just created.

You can then change the security permissions on the GPO to only apply to the computers you are wanting it to touch.
TheCleanerCommented:
LOL, I was all ready to say use Restricted Groups in Group Policy (since you can add groups and users without disrupting the existing ones in the local admins group), which is much easier, then I saw your final statement.


But like Eagle6990 said, so the script would look something like:


@echo off
net localgroup administrators domain\group /add
net localgroup administrators domain\username /add
net localgroup administrators domain\group#2 /add
net localgroup administrators domain\username#2 /add


Note like Eage said, you have to apply it to the Compuer Configuration section in GP, not the User configuration.
TheCleanerCommented:
oops...I should read better...you just want to run the script to apply it remotely to a list of servers, right?

Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Jeff BeckhamEngineerCommented:
You can use the net localgroup /add command in conjuntion with psexec (http://www.sysinternals.com/Utilities/PsExec.html).  Psexec allow you to run the command on the remote machine and have your output piped back to you from wherever you're running the command.
TheCleanerCommented:
Here's a script for you (I'm not that great, but it should do):

======================================================================



On Error Resume Next

Const ForReading = 1

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile("c:\scripts\servers.txt", ForReading)

Do Until objTextFile.AtEndOfStream
    strComputer = objTextFile.Readline

    ' =====================================================================
   
    ' =====================================================================

                  Set oLocalGroup = GetObject("WinNT://" & strComputer & _
                        "/Administrators,group")
            Set oDomainUser1 = GetObject("WinNT://DOMAIN/TESTUSER,user")
                                Set oDomainUser2 = GetObject("WinNT://DOMAIN/TESTUSER2,user")
                                Set oDomainGroup1 = GetObject("WinNT://DOMAIN/TESTGROUP1,group")
                                Set oDomainGroup2 = GetObject("WinNT://DOMAIN/TESTGROUP2,group")
            On Error Resume Next
            oLocalGroup.Add(oDomainUser1.ADsPath)
                                oLocalGroup.Add(oDomainUser2.ADsPath)
                                oLocalGroup.Add(oDomainGroup1.ADsPath)
                                oLocalGroup.Add(oDomainGroup2.ADsPath)
            On Error Goto 0
     
    ' =====================================================================
    ' End
    ' =====================================================================

Loop

objTextFile.Close

==================================================================================



What this will do is take the input from c:\scripts\servers.txt (put each server in a separate line)

then it will get the local Admins group

then it will add the 2 user accounts and the 2 groups to the local admins group of the server, then move on to the next server in servers.txt


Let me know if that works for you.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TheCleanerCommented:
Thanks for the points...glad the script worked for you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.