Script to add local group

Posted on 2008-10-14
Last Modified: 2010-04-21
I need to add a domain group to the local administrators group of all computer in the domain.  I figured I could use the following command:

net localgroup "Administrators" "domain\groupname" /add

But, for some reason i cannot get this to apply to the computers in the domain.  Does anyone know a vbs or bat script that will allow me to apply this to all computers in the domain?
Question by:frevere
  • 5
  • 5

Expert Comment

ID: 22713004
In order for me to help you do this right, as I already have VBScript written for this, I need to you tell me couple of things so that we do this the safe way.

1) Are you going to add this domain group to local admin group of ALL domain computers, including the servers? Or are you going to add this Domain Group to local administrators group of Workstations ONLY?
2) if question number 1 is workstations only then what OS are those workstations running and what service pack?


Author Comment

ID: 22713186
Thanks Hubasan.  To answer your questions:  1) I will be adding this domain group to ALL computers in the domain.  At this point a check of the OS is really not needed but we are running Server 2003 SP2 and all workstations are XP SP2.

Author Comment

ID: 22713267
What is odd and maybe you can help is that I researched this issue and have been trying to use WMI to make the changes but I get a ReturnValue=9, and I do not know what object is invalid.

Accepted Solution

Hubasan earned 125 total points
ID: 22713549
Ok here is the script, but please read this through the end so that you know how to apply it successfully.

Here is how this script works:
1) Script will user ROOTDSE to get your domain name and connect to it's Directory
2) Will scan every single computer in your domain, ping it for availability and if available, add domain group of your choosing to Local Admin group of that PC.
3) It will create 3 different log files in the same folder you execute the script from, with following names
a) Results.log
b) PCsNotOnline.log
c) PCsDontExist.log

First log files will contain computer names of the PC where domain group was added to the local admin group.
Second will give you computer names of PC that were not ONLINE at that time script ran.
Third will give you computer names that your DOMAIN still has but are not IN DNS anymore (Very common occurrence in large corporations like my own.) This simply means those computers don't exist on your domain anymore.
4) Since you are running this script for the first time in your Domain, I have placed a safety mechanism that will prompt you "Do you want to continue? after EACH computer that was processed"
You can remove this safety by deleting following lines:

  sRes = oWS.Popup("Computer: " & sComputer & " was processed last, do you want to continue?", , cTitle, vbYesNo+vbInformation)
  If sRes = vbno Then
        oWS.Popup "User canceled script, Exiting!", , cTitle, vbInformation
  End If

I would URGE you to leave it in place, and process one computer at the time for now just to see how it works and then connect to that PC and make sure that Domain Group was added to the Local Admin group as was intended and then when you see that couple of them work fine, you can remove the safety. and just run the script without it.

In the script code you HAVE TO change a variable called sDomainGroup  to reflect your domain group that you wish to add to Local Admin group of your PC's.

That's about it.

If you have any questions please feel free to ask.
On Error Resume Next


Const cTitle = "Add Domain group to Local group of All AD Computers"

Set oNet = CreateObject("")

Set oWS = CreateObject("")

Set oFS = Createobject("Scripting.FileSystemobject")

sScriptName = WScript.ScriptName

sScriptPath = WScript.ScriptFullName

sLog = Replace(sScriptName, ".vbs", ".log")

sLogFile = Replace(sScriptPath, sScriptName, "Results.log")

sPCsNotOnline = Replace(sScriptPath, sScriptName, "PCsNotOnline.log")

sPCsDontExist = Replace(sScriptPath, sScriptName, "PCsDontExist.log")

Set oLogFile = oFS.CreateTextFile(sLogFile, True)

Set oPCsNotOnline = oFS.CreateTextFile(sPCsNotOnline, True)

Set oPCsDontExist = oFS.CreateTextFile(sPCsDontExist, True)

sDomain = oNet.UserDomain

sDomainGroup = "Put your Domain Group here"

sLocalGroup = "Administrators" ' I presume you want to use Local Admin group, if not change this as well.

Set oRootDSE = GetObject("LDAP://rootDSE")

sADsPath = "LDAP://" & oRootDSE.Get("defaultNamingContext")

Set oDomain = GetObject(sADsPath)

Set oConnection = CreateObject("ADODB.Connection")

oConnection.Open "Provider=ADsDSOObject;"


Set oCommand = CreateObject("ADODB.Command")

oCommand.ActiveConnection = oConnection

Set oCommand.ActiveConnection = oConnection

oCommand.CommandText = _

    "Select Name, Location, operatingSystemVersion from " & _

        "'" & sADsPath & "' where objectClass='computer'"

oCommand.Properties("Page Size") = 5000

oCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

Set oRecordSet = oCommand.Execute


Do Until oRecordSet.EOF

	sComputer = oRecordSet.Fields("Name").Value

	sComputer = UCase(sComputer)

	sIsOnline = Ping(sComputer)

	If IsNull(sIsOnline) Then

		oPCsDontExist.WriteLine sComputer

	ElseIf sIsOnline = 11010 Then

		oPCsNotOnline.WriteLine sComputer

	ElseIf sIsOnline = 0 Then


		Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")

		Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")



		oLogFile.WriteLine sComputer		

  End If


  sRes = oWS.Popup("Computer: " & sComputer & " was processed last, do you want to continue?", , cTitle, vbYesNo+vbInformation)

  If sRes = vbno Then

  	oWS.Popup "User canceled script, Exiting!", , cTitle, vbInformation


  End If




Function Ping(sComputer)

Set objWMIService = GetObject(_ 


Set colPings = objWMIService.ExecQuery _

    ("Select * From Win32_PingStatus where Address = '" & sComputer & "'")

For Each objStatus in colPings

	Ping = objStatus.StatusCode



'    Data type: uint32

'    Access type: Read-only

'    Ping command status codes.

'    Value 	Meaning

'    0    Success

'    Null			Could not find host

'    11001    Buffer Too Small

'    11002    Destination Net Unreachable

'    11003    Destination Host Unreachable

'    11004    Destination Protocol Unreachable

'    11005    Destination Port Unreachable

'    11006    No Resources

'    11007    Bad Option

'    11008    Hardware Error

'    11009    Packet Too Big

'    11010    Request Timed Out

'    11011    Bad Request

'    11012    Bad Route

'    11013    TimeToLive Expired Transit

'    11014    TimeToLive Expired Reassembly

'    11015    Parameter Problem

'    11016    Source Quench

'    11017    Option Too Big

'    11018    Bad Destination

'    11032    Negotiating IPSEC

'    11050    General Failure

End Function

Open in new window


Expert Comment

ID: 22713702
Hi frevre,

This script that I wrote for you is not using WMI since I also had some issues with it. Here I'm simply using ROOTDSE for domain, ADODB for connection, and WinNT provider instead of WMI to add Domain Group to Local computer's group.
Adding of the actual Domain Group to Local Group is basically three lines, but there is a lot of support code to facilitate processing ALL DOMAIN computers, pinging them, proper information flow and logging.
It's really not that complicated at all once you know exactly what you want. So if you want to change anything and are not sure how, don't hesitate to ask. That's why were are here. :-)
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline


Author Comment

ID: 22713803
Before running this against all computers in the domain, I would like to run this script against a couple of test servers and workstations.  How do I specify a specific machinename or OU?

Author Comment

ID: 22713879
In fact, I should ask is there a way for your script to read a txt file with the test computers listed and then run the process against only those computers?

Expert Comment

ID: 22713956
You can specify a computer name in the following line:

sComputer = oRecordSet.Fields("Name").Value

Instead of "oRecordSet.Fileds("Name").Value, just put under double quotes the computer you want to connect to, like this:

sComputer = "MyServer01"

Script doesn't require you to specify the OU since it connects to the ROOT of your domain, which means that it will find all computer object that are within 2 sub levels of the root.

Author Closing Comment

ID: 31505879
Great script.....thanks.   Added the group with no problems.

Expert Comment

ID: 22714856
No problem, glad to help.

If you still want to read computer names from the Text file and then work on only those computers, you can use the following code:

This would be just basic script to add Domain Group to Local group on each of the computers that are in the text file, instead of probing your Domain for computer names.

Just again change sDomainGroup and path to your txt file that contains Computer Names
Const ForReading = 1

Set oFS = CreateObject("Scripting.FileSystemObject")

Set oNet = CreateObject("")

sDomain = oNet.UserDomain

sDomainGroup = "Put your Domain Group here"

sLocalGroup = "Administrators"

Set oTextFile = oFS.OpenTextFile("C:\PathToYourTextFileWithComputerNames.txt", ForReading)

Do While oTextFile.AtEndOfStream <> True

	sComputer = oTextFile.ReadLine


	Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")

	Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")





Open in new window


Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Well hello again!  Glad to see you've made it this far without giving up.  In this, the fourth installment of my popular series, I'm going to cover functions and subroutines, what they are, and why they are useful.  Just in case you stumbled onto th…
Not long ago I saw a question in the VB Script forum that I thought would not take much time. You can read that question (Question ID  ( Here (http…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now