Script to add local group

Posted on 2008-10-14
Last Modified: 2010-04-21
I need to add a domain group to the local administrators group of all computer in the domain.  I figured I could use the following command:

net localgroup "Administrators" "domain\groupname" /add

But, for some reason i cannot get this to apply to the computers in the domain.  Does anyone know a vbs or bat script that will allow me to apply this to all computers in the domain?
Question by:frevere
  • 5
  • 5

Expert Comment

ID: 22713004
In order for me to help you do this right, as I already have VBScript written for this, I need to you tell me couple of things so that we do this the safe way.

1) Are you going to add this domain group to local admin group of ALL domain computers, including the servers? Or are you going to add this Domain Group to local administrators group of Workstations ONLY?
2) if question number 1 is workstations only then what OS are those workstations running and what service pack?


Author Comment

ID: 22713186
Thanks Hubasan.  To answer your questions:  1) I will be adding this domain group to ALL computers in the domain.  At this point a check of the OS is really not needed but we are running Server 2003 SP2 and all workstations are XP SP2.

Author Comment

ID: 22713267
What is odd and maybe you can help is that I researched this issue and have been trying to use WMI to make the changes but I get a ReturnValue=9, and I do not know what object is invalid.
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.


Accepted Solution

Hubasan earned 125 total points
ID: 22713549
Ok here is the script, but please read this through the end so that you know how to apply it successfully.

Here is how this script works:
1) Script will user ROOTDSE to get your domain name and connect to it's Directory
2) Will scan every single computer in your domain, ping it for availability and if available, add domain group of your choosing to Local Admin group of that PC.
3) It will create 3 different log files in the same folder you execute the script from, with following names
a) Results.log
b) PCsNotOnline.log
c) PCsDontExist.log

First log files will contain computer names of the PC where domain group was added to the local admin group.
Second will give you computer names of PC that were not ONLINE at that time script ran.
Third will give you computer names that your DOMAIN still has but are not IN DNS anymore (Very common occurrence in large corporations like my own.) This simply means those computers don't exist on your domain anymore.
4) Since you are running this script for the first time in your Domain, I have placed a safety mechanism that will prompt you "Do you want to continue? after EACH computer that was processed"
You can remove this safety by deleting following lines:

  sRes = oWS.Popup("Computer: " & sComputer & " was processed last, do you want to continue?", , cTitle, vbYesNo+vbInformation)
  If sRes = vbno Then
        oWS.Popup "User canceled script, Exiting!", , cTitle, vbInformation
  End If

I would URGE you to leave it in place, and process one computer at the time for now just to see how it works and then connect to that PC and make sure that Domain Group was added to the Local Admin group as was intended and then when you see that couple of them work fine, you can remove the safety. and just run the script without it.

In the script code you HAVE TO change a variable called sDomainGroup  to reflect your domain group that you wish to add to Local Admin group of your PC's.

That's about it.

If you have any questions please feel free to ask.
On Error Resume Next
Const cTitle = "Add Domain group to Local group of All AD Computers"
Set oNet = CreateObject("")
Set oWS = CreateObject("")
Set oFS = Createobject("Scripting.FileSystemobject")
sScriptName = WScript.ScriptName
sScriptPath = WScript.ScriptFullName
sLog = Replace(sScriptName, ".vbs", ".log")
sLogFile = Replace(sScriptPath, sScriptName, "Results.log")
sPCsNotOnline = Replace(sScriptPath, sScriptName, "PCsNotOnline.log")
sPCsDontExist = Replace(sScriptPath, sScriptName, "PCsDontExist.log")
Set oLogFile = oFS.CreateTextFile(sLogFile, True)
Set oPCsNotOnline = oFS.CreateTextFile(sPCsNotOnline, True)
Set oPCsDontExist = oFS.CreateTextFile(sPCsDontExist, True)
sDomain = oNet.UserDomain
sDomainGroup = "Put your Domain Group here"
sLocalGroup = "Administrators" ' I presume you want to use Local Admin group, if not change this as well.
Set oRootDSE = GetObject("LDAP://rootDSE")
sADsPath = "LDAP://" & oRootDSE.Get("defaultNamingContext")
Set oDomain = GetObject(sADsPath)
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Open "Provider=ADsDSOObject;"
Set oCommand = CreateObject("ADODB.Command")
oCommand.ActiveConnection = oConnection
Set oCommand.ActiveConnection = oConnection
oCommand.CommandText = _
    "Select Name, Location, operatingSystemVersion from " & _
        "'" & sADsPath & "' where objectClass='computer'"
oCommand.Properties("Page Size") = 5000
oCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
Set oRecordSet = oCommand.Execute
Do Until oRecordSet.EOF
	sComputer = oRecordSet.Fields("Name").Value
	sComputer = UCase(sComputer)
	sIsOnline = Ping(sComputer)
	If IsNull(sIsOnline) Then
		oPCsDontExist.WriteLine sComputer
	ElseIf sIsOnline = 11010 Then
		oPCsNotOnline.WriteLine sComputer
	ElseIf sIsOnline = 0 Then
		Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")
		Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")
		oLogFile.WriteLine sComputer		
  End If
  sRes = oWS.Popup("Computer: " & sComputer & " was processed last, do you want to continue?", , cTitle, vbYesNo+vbInformation)
  If sRes = vbno Then
  	oWS.Popup "User canceled script, Exiting!", , cTitle, vbInformation
  End If
Function Ping(sComputer)
Set objWMIService = GetObject(_ 
Set colPings = objWMIService.ExecQuery _
    ("Select * From Win32_PingStatus where Address = '" & sComputer & "'")
For Each objStatus in colPings
	Ping = objStatus.StatusCode
'    Data type: uint32
'    Access type: Read-only
'    Ping command status codes.
'    Value 	Meaning
'    0    Success
'    Null			Could not find host
'    11001    Buffer Too Small
'    11002    Destination Net Unreachable
'    11003    Destination Host Unreachable
'    11004    Destination Protocol Unreachable
'    11005    Destination Port Unreachable
'    11006    No Resources
'    11007    Bad Option
'    11008    Hardware Error
'    11009    Packet Too Big
'    11010    Request Timed Out
'    11011    Bad Request
'    11012    Bad Route
'    11013    TimeToLive Expired Transit
'    11014    TimeToLive Expired Reassembly
'    11015    Parameter Problem
'    11016    Source Quench
'    11017    Option Too Big
'    11018    Bad Destination
'    11032    Negotiating IPSEC
'    11050    General Failure
End Function

Open in new window


Expert Comment

ID: 22713702
Hi frevre,

This script that I wrote for you is not using WMI since I also had some issues with it. Here I'm simply using ROOTDSE for domain, ADODB for connection, and WinNT provider instead of WMI to add Domain Group to Local computer's group.
Adding of the actual Domain Group to Local Group is basically three lines, but there is a lot of support code to facilitate processing ALL DOMAIN computers, pinging them, proper information flow and logging.
It's really not that complicated at all once you know exactly what you want. So if you want to change anything and are not sure how, don't hesitate to ask. That's why were are here. :-)

Author Comment

ID: 22713803
Before running this against all computers in the domain, I would like to run this script against a couple of test servers and workstations.  How do I specify a specific machinename or OU?

Author Comment

ID: 22713879
In fact, I should ask is there a way for your script to read a txt file with the test computers listed and then run the process against only those computers?

Expert Comment

ID: 22713956
You can specify a computer name in the following line:

sComputer = oRecordSet.Fields("Name").Value

Instead of "oRecordSet.Fileds("Name").Value, just put under double quotes the computer you want to connect to, like this:

sComputer = "MyServer01"

Script doesn't require you to specify the OU since it connects to the ROOT of your domain, which means that it will find all computer object that are within 2 sub levels of the root.

Author Closing Comment

ID: 31505879
Great script.....thanks.   Added the group with no problems.

Expert Comment

ID: 22714856
No problem, glad to help.

If you still want to read computer names from the Text file and then work on only those computers, you can use the following code:

This would be just basic script to add Domain Group to Local group on each of the computers that are in the text file, instead of probing your Domain for computer names.

Just again change sDomainGroup and path to your txt file that contains Computer Names
Const ForReading = 1
Set oFS = CreateObject("Scripting.FileSystemObject")
Set oNet = CreateObject("")
sDomain = oNet.UserDomain
sDomainGroup = "Put your Domain Group here"
sLocalGroup = "Administrators"
Set oTextFile = oFS.OpenTextFile("C:\PathToYourTextFileWithComputerNames.txt", ForReading)
Do While oTextFile.AtEndOfStream <> True
	sComputer = oTextFile.ReadLine
	Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")
	Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")

Open in new window


Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
batch file problem 5 67
Update Access FrontEnd by Version # 9 46
randomize data from excell cell 15 45
BATCH to EXE Converter 2 35
When it comes to writing scripts for a Client/Server computing environment it is essential to consider some way of enabling the authentication functionality within a script. This sort of consideration mainly comes into the picture when we are dealin…
If like me you are one who spends a lot of time working and scripting with cmd.exe, sometimes it is handy to be able to quickly view a calendar for a given month and year. This script will quickly do just that!  Save the code posted below to a .bat …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question