Script to add local group

Posted on 2008-10-14
Last Modified: 2010-04-21
I need to add a domain group to the local administrators group of all computer in the domain.  I figured I could use the following command:

net localgroup "Administrators" "domain\groupname" /add

But, for some reason i cannot get this to apply to the computers in the domain.  Does anyone know a vbs or bat script that will allow me to apply this to all computers in the domain?
Question by:frevere
  • 5
  • 5

Expert Comment

ID: 22713004
In order for me to help you do this right, as I already have VBScript written for this, I need to you tell me couple of things so that we do this the safe way.

1) Are you going to add this domain group to local admin group of ALL domain computers, including the servers? Or are you going to add this Domain Group to local administrators group of Workstations ONLY?
2) if question number 1 is workstations only then what OS are those workstations running and what service pack?


Author Comment

ID: 22713186
Thanks Hubasan.  To answer your questions:  1) I will be adding this domain group to ALL computers in the domain.  At this point a check of the OS is really not needed but we are running Server 2003 SP2 and all workstations are XP SP2.

Author Comment

ID: 22713267
What is odd and maybe you can help is that I researched this issue and have been trying to use WMI to make the changes but I get a ReturnValue=9, and I do not know what object is invalid.

Accepted Solution

Hubasan earned 125 total points
ID: 22713549
Ok here is the script, but please read this through the end so that you know how to apply it successfully.

Here is how this script works:
1) Script will user ROOTDSE to get your domain name and connect to it's Directory
2) Will scan every single computer in your domain, ping it for availability and if available, add domain group of your choosing to Local Admin group of that PC.
3) It will create 3 different log files in the same folder you execute the script from, with following names
a) Results.log
b) PCsNotOnline.log
c) PCsDontExist.log

First log files will contain computer names of the PC where domain group was added to the local admin group.
Second will give you computer names of PC that were not ONLINE at that time script ran.
Third will give you computer names that your DOMAIN still has but are not IN DNS anymore (Very common occurrence in large corporations like my own.) This simply means those computers don't exist on your domain anymore.
4) Since you are running this script for the first time in your Domain, I have placed a safety mechanism that will prompt you "Do you want to continue? after EACH computer that was processed"
You can remove this safety by deleting following lines:

  sRes = oWS.Popup("Computer: " & sComputer & " was processed last, do you want to continue?", , cTitle, vbYesNo+vbInformation)
  If sRes = vbno Then
        oWS.Popup "User canceled script, Exiting!", , cTitle, vbInformation
  End If

I would URGE you to leave it in place, and process one computer at the time for now just to see how it works and then connect to that PC and make sure that Domain Group was added to the Local Admin group as was intended and then when you see that couple of them work fine, you can remove the safety. and just run the script without it.

In the script code you HAVE TO change a variable called sDomainGroup  to reflect your domain group that you wish to add to Local Admin group of your PC's.

That's about it.

If you have any questions please feel free to ask.
On Error Resume Next


Const cTitle = "Add Domain group to Local group of All AD Computers"

Set oNet = CreateObject("")

Set oWS = CreateObject("")

Set oFS = Createobject("Scripting.FileSystemobject")

sScriptName = WScript.ScriptName

sScriptPath = WScript.ScriptFullName

sLog = Replace(sScriptName, ".vbs", ".log")

sLogFile = Replace(sScriptPath, sScriptName, "Results.log")

sPCsNotOnline = Replace(sScriptPath, sScriptName, "PCsNotOnline.log")

sPCsDontExist = Replace(sScriptPath, sScriptName, "PCsDontExist.log")

Set oLogFile = oFS.CreateTextFile(sLogFile, True)

Set oPCsNotOnline = oFS.CreateTextFile(sPCsNotOnline, True)

Set oPCsDontExist = oFS.CreateTextFile(sPCsDontExist, True)

sDomain = oNet.UserDomain

sDomainGroup = "Put your Domain Group here"

sLocalGroup = "Administrators" ' I presume you want to use Local Admin group, if not change this as well.

Set oRootDSE = GetObject("LDAP://rootDSE")

sADsPath = "LDAP://" & oRootDSE.Get("defaultNamingContext")

Set oDomain = GetObject(sADsPath)

Set oConnection = CreateObject("ADODB.Connection")

oConnection.Open "Provider=ADsDSOObject;"


Set oCommand = CreateObject("ADODB.Command")

oCommand.ActiveConnection = oConnection

Set oCommand.ActiveConnection = oConnection

oCommand.CommandText = _

    "Select Name, Location, operatingSystemVersion from " & _

        "'" & sADsPath & "' where objectClass='computer'"

oCommand.Properties("Page Size") = 5000

oCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

Set oRecordSet = oCommand.Execute


Do Until oRecordSet.EOF

	sComputer = oRecordSet.Fields("Name").Value

	sComputer = UCase(sComputer)

	sIsOnline = Ping(sComputer)

	If IsNull(sIsOnline) Then

		oPCsDontExist.WriteLine sComputer

	ElseIf sIsOnline = 11010 Then

		oPCsNotOnline.WriteLine sComputer

	ElseIf sIsOnline = 0 Then


		Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")

		Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")



		oLogFile.WriteLine sComputer		

  End If


  sRes = oWS.Popup("Computer: " & sComputer & " was processed last, do you want to continue?", , cTitle, vbYesNo+vbInformation)

  If sRes = vbno Then

  	oWS.Popup "User canceled script, Exiting!", , cTitle, vbInformation


  End If




Function Ping(sComputer)

Set objWMIService = GetObject(_ 


Set colPings = objWMIService.ExecQuery _

    ("Select * From Win32_PingStatus where Address = '" & sComputer & "'")

For Each objStatus in colPings

	Ping = objStatus.StatusCode



'    Data type: uint32

'    Access type: Read-only

'    Ping command status codes.

'    Value 	Meaning

'    0    Success

'    Null			Could not find host

'    11001    Buffer Too Small

'    11002    Destination Net Unreachable

'    11003    Destination Host Unreachable

'    11004    Destination Protocol Unreachable

'    11005    Destination Port Unreachable

'    11006    No Resources

'    11007    Bad Option

'    11008    Hardware Error

'    11009    Packet Too Big

'    11010    Request Timed Out

'    11011    Bad Request

'    11012    Bad Route

'    11013    TimeToLive Expired Transit

'    11014    TimeToLive Expired Reassembly

'    11015    Parameter Problem

'    11016    Source Quench

'    11017    Option Too Big

'    11018    Bad Destination

'    11032    Negotiating IPSEC

'    11050    General Failure

End Function

Open in new window


Expert Comment

ID: 22713702
Hi frevre,

This script that I wrote for you is not using WMI since I also had some issues with it. Here I'm simply using ROOTDSE for domain, ADODB for connection, and WinNT provider instead of WMI to add Domain Group to Local computer's group.
Adding of the actual Domain Group to Local Group is basically three lines, but there is a lot of support code to facilitate processing ALL DOMAIN computers, pinging them, proper information flow and logging.
It's really not that complicated at all once you know exactly what you want. So if you want to change anything and are not sure how, don't hesitate to ask. That's why were are here. :-)
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.


Author Comment

ID: 22713803
Before running this against all computers in the domain, I would like to run this script against a couple of test servers and workstations.  How do I specify a specific machinename or OU?

Author Comment

ID: 22713879
In fact, I should ask is there a way for your script to read a txt file with the test computers listed and then run the process against only those computers?

Expert Comment

ID: 22713956
You can specify a computer name in the following line:

sComputer = oRecordSet.Fields("Name").Value

Instead of "oRecordSet.Fileds("Name").Value, just put under double quotes the computer you want to connect to, like this:

sComputer = "MyServer01"

Script doesn't require you to specify the OU since it connects to the ROOT of your domain, which means that it will find all computer object that are within 2 sub levels of the root.

Author Closing Comment

ID: 31505879
Great script.....thanks.   Added the group with no problems.

Expert Comment

ID: 22714856
No problem, glad to help.

If you still want to read computer names from the Text file and then work on only those computers, you can use the following code:

This would be just basic script to add Domain Group to Local group on each of the computers that are in the text file, instead of probing your Domain for computer names.

Just again change sDomainGroup and path to your txt file that contains Computer Names
Const ForReading = 1

Set oFS = CreateObject("Scripting.FileSystemObject")

Set oNet = CreateObject("")

sDomain = oNet.UserDomain

sDomainGroup = "Put your Domain Group here"

sLocalGroup = "Administrators"

Set oTextFile = oFS.OpenTextFile("C:\PathToYourTextFileWithComputerNames.txt", ForReading)

Do While oTextFile.AtEndOfStream <> True

	sComputer = oTextFile.ReadLine


	Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")

	Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")





Open in new window


Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to batch remove spreadsheet password 19 149
Using VB6 to write Excel Spreadsheets - 5 40
Compile Error 7 41
batch file problem 5 22
When it comes to writing scripts for a Client/Server computing environment it is essential to consider some way of enabling the authentication functionality within a script. This sort of consideration mainly comes into the picture when we are dealin…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now