Script to add local group

I need to add a domain group to the local administrators group of all computer in the domain.  I figured I could use the following command:

net localgroup "Administrators" "domain\groupname" /add

But, for some reason i cannot get this to apply to the computers in the domain.  Does anyone know a vbs or bat script that will allow me to apply this to all computers in the domain?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

HubasanConnect With a Mentor Commented:
Ok here is the script, but please read this through the end so that you know how to apply it successfully.

Here is how this script works:
1) Script will user ROOTDSE to get your domain name and connect to it's Directory
2) Will scan every single computer in your domain, ping it for availability and if available, add domain group of your choosing to Local Admin group of that PC.
3) It will create 3 different log files in the same folder you execute the script from, with following names
a) Results.log
b) PCsNotOnline.log
c) PCsDontExist.log

First log files will contain computer names of the PC where domain group was added to the local admin group.
Second will give you computer names of PC that were not ONLINE at that time script ran.
Third will give you computer names that your DOMAIN still has but are not IN DNS anymore (Very common occurrence in large corporations like my own.) This simply means those computers don't exist on your domain anymore.
4) Since you are running this script for the first time in your Domain, I have placed a safety mechanism that will prompt you "Do you want to continue? after EACH computer that was processed"
You can remove this safety by deleting following lines:

  sRes = oWS.Popup("Computer: " & sComputer & " was processed last, do you want to continue?", , cTitle, vbYesNo+vbInformation)
  If sRes = vbno Then
        oWS.Popup "User canceled script, Exiting!", , cTitle, vbInformation
  End If

I would URGE you to leave it in place, and process one computer at the time for now just to see how it works and then connect to that PC and make sure that Domain Group was added to the Local Admin group as was intended and then when you see that couple of them work fine, you can remove the safety. and just run the script without it.

In the script code you HAVE TO change a variable called sDomainGroup  to reflect your domain group that you wish to add to Local Admin group of your PC's.

That's about it.

If you have any questions please feel free to ask.
On Error Resume Next
Const cTitle = "Add Domain group to Local group of All AD Computers"
Set oNet = CreateObject("")
Set oWS = CreateObject("")
Set oFS = Createobject("Scripting.FileSystemobject")
sScriptName = WScript.ScriptName
sScriptPath = WScript.ScriptFullName
sLog = Replace(sScriptName, ".vbs", ".log")
sLogFile = Replace(sScriptPath, sScriptName, "Results.log")
sPCsNotOnline = Replace(sScriptPath, sScriptName, "PCsNotOnline.log")
sPCsDontExist = Replace(sScriptPath, sScriptName, "PCsDontExist.log")
Set oLogFile = oFS.CreateTextFile(sLogFile, True)
Set oPCsNotOnline = oFS.CreateTextFile(sPCsNotOnline, True)
Set oPCsDontExist = oFS.CreateTextFile(sPCsDontExist, True)
sDomain = oNet.UserDomain
sDomainGroup = "Put your Domain Group here"
sLocalGroup = "Administrators" ' I presume you want to use Local Admin group, if not change this as well.
Set oRootDSE = GetObject("LDAP://rootDSE")
sADsPath = "LDAP://" & oRootDSE.Get("defaultNamingContext")
Set oDomain = GetObject(sADsPath)
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Open "Provider=ADsDSOObject;"
Set oCommand = CreateObject("ADODB.Command")
oCommand.ActiveConnection = oConnection
Set oCommand.ActiveConnection = oConnection
oCommand.CommandText = _
    "Select Name, Location, operatingSystemVersion from " & _
        "'" & sADsPath & "' where objectClass='computer'"
oCommand.Properties("Page Size") = 5000
oCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
Set oRecordSet = oCommand.Execute
Do Until oRecordSet.EOF
	sComputer = oRecordSet.Fields("Name").Value
	sComputer = UCase(sComputer)
	sIsOnline = Ping(sComputer)
	If IsNull(sIsOnline) Then
		oPCsDontExist.WriteLine sComputer
	ElseIf sIsOnline = 11010 Then
		oPCsNotOnline.WriteLine sComputer
	ElseIf sIsOnline = 0 Then
		Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")
		Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")
		oLogFile.WriteLine sComputer		
  End If
  sRes = oWS.Popup("Computer: " & sComputer & " was processed last, do you want to continue?", , cTitle, vbYesNo+vbInformation)
  If sRes = vbno Then
  	oWS.Popup "User canceled script, Exiting!", , cTitle, vbInformation
  End If
Function Ping(sComputer)
Set objWMIService = GetObject(_ 
Set colPings = objWMIService.ExecQuery _
    ("Select * From Win32_PingStatus where Address = '" & sComputer & "'")
For Each objStatus in colPings
	Ping = objStatus.StatusCode
'    Data type: uint32
'    Access type: Read-only
'    Ping command status codes.
'    Value 	Meaning
'    0    Success
'    Null			Could not find host
'    11001    Buffer Too Small
'    11002    Destination Net Unreachable
'    11003    Destination Host Unreachable
'    11004    Destination Protocol Unreachable
'    11005    Destination Port Unreachable
'    11006    No Resources
'    11007    Bad Option
'    11008    Hardware Error
'    11009    Packet Too Big
'    11010    Request Timed Out
'    11011    Bad Request
'    11012    Bad Route
'    11013    TimeToLive Expired Transit
'    11014    TimeToLive Expired Reassembly
'    11015    Parameter Problem
'    11016    Source Quench
'    11017    Option Too Big
'    11018    Bad Destination
'    11032    Negotiating IPSEC
'    11050    General Failure
End Function

Open in new window

In order for me to help you do this right, as I already have VBScript written for this, I need to you tell me couple of things so that we do this the safe way.

1) Are you going to add this domain group to local admin group of ALL domain computers, including the servers? Or are you going to add this Domain Group to local administrators group of Workstations ONLY?
2) if question number 1 is workstations only then what OS are those workstations running and what service pack?

frevereAuthor Commented:
Thanks Hubasan.  To answer your questions:  1) I will be adding this domain group to ALL computers in the domain.  At this point a check of the OS is really not needed but we are running Server 2003 SP2 and all workstations are XP SP2.
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

frevereAuthor Commented:
What is odd and maybe you can help is that I researched this issue and have been trying to use WMI to make the changes but I get a ReturnValue=9, and I do not know what object is invalid.
Hi frevre,

This script that I wrote for you is not using WMI since I also had some issues with it. Here I'm simply using ROOTDSE for domain, ADODB for connection, and WinNT provider instead of WMI to add Domain Group to Local computer's group.
Adding of the actual Domain Group to Local Group is basically three lines, but there is a lot of support code to facilitate processing ALL DOMAIN computers, pinging them, proper information flow and logging.
It's really not that complicated at all once you know exactly what you want. So if you want to change anything and are not sure how, don't hesitate to ask. That's why were are here. :-)
frevereAuthor Commented:
Before running this against all computers in the domain, I would like to run this script against a couple of test servers and workstations.  How do I specify a specific machinename or OU?
frevereAuthor Commented:
In fact, I should ask is there a way for your script to read a txt file with the test computers listed and then run the process against only those computers?
You can specify a computer name in the following line:

sComputer = oRecordSet.Fields("Name").Value

Instead of "oRecordSet.Fileds("Name").Value, just put under double quotes the computer you want to connect to, like this:

sComputer = "MyServer01"

Script doesn't require you to specify the OU since it connects to the ROOT of your domain, which means that it will find all computer object that are within 2 sub levels of the root.
frevereAuthor Commented:
Great script.....thanks.   Added the group with no problems.
No problem, glad to help.

If you still want to read computer names from the Text file and then work on only those computers, you can use the following code:

This would be just basic script to add Domain Group to Local group on each of the computers that are in the text file, instead of probing your Domain for computer names.

Just again change sDomainGroup and path to your txt file that contains Computer Names
Const ForReading = 1
Set oFS = CreateObject("Scripting.FileSystemObject")
Set oNet = CreateObject("")
sDomain = oNet.UserDomain
sDomainGroup = "Put your Domain Group here"
sLocalGroup = "Administrators"
Set oTextFile = oFS.OpenTextFile("C:\PathToYourTextFileWithComputerNames.txt", ForReading)
Do While oTextFile.AtEndOfStream <> True
	sComputer = oTextFile.ReadLine
	Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")
	Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")

Open in new window

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.