How Can I Add a Domain User to a Local Administrators Group?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I add a domain user to the local Administrators group in a computer?

-- MB

SpacerHey, Scripting Guy! AnswerScript Center

Hey, MB. One reason we started doing this column was because we wanted to know more about what system administrators do (and script) on a regular basis. As it is, sitting here in our luxurious penthouse suites atop the Microsoft campus, we’re not always fully in tune with the way things are done in the real world. For example, in the Script Center we have a sample script that shows you how to add a user to the local Administrators account:

strComputer = "atl-ws-01"
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
Set objUser = GetObject("WinNT://" & strComputer & "/kenmyer")

So what’s wrong with this script? Nothing, except that this might not be the most practical example ever devised. After all, this script shows you how to add another local user to the Administrators group. That’s OK, but what most of you really want to know (as we can tell by the number of emails we’ve received to this effect) is how to add a domain user to the local Administrators group. Message received, loud and clear: Let’s show you how to add a domain user to the local Administrators group.

Incidentally, the script to do this is almost identical to the script for adding a local user to the Administrators group. The only difference, as we’ll see in a moment, occurs in line 3. In the preceding script, we bind to a local user account on a computer using this line of code:

Set objUser = GetObject("WinNT://" & strComputer & "/kenmyer")

We then pass the ADsPath of that user account to the Add method, which adds the user to the group:


We want to do the same thing with our new script, only we don’t want to bind to a local user account, we want to bind to a domain user account. And so that’s what we’re going to do, substituting in a new line 3:

Set objUser = GetObject("WinNT://fabrikam/kenmyer")

Here we’re using the WinNT provider to bind to the fabrikam domain; more specifically, we’re using the WinNT provider to bind to the kenmyer user account in the fabrikam domain. Ah, we see some of you are upset by this. “Why are they using the WinNT provider?” you’re muttering. “Aren’t they supposed to use the LDAP provider when binding to Active Directory?”

The answer to that question is yes, most of the time. However, suppose we used the LDAP provider to retrieve the ADsPath for kenmyer, using code like this:

Set objUser = GetObject(“LDAP://CN=kenmyer,OU=Finance,dc=fabrikam,dc=com”)

That looks OK, except we get back an ADsPath that looks like this:


That’s OK, too … at least until you try passing that value to the local computer. Remember, the Security Account Manager on the local computer speaks WinNT, it doesn’t speak LDAP. If you try passing an LDAP path to the local computer it just won’t work.

Instead, we need to pass an ADsPath that looks like this:


And guess what? If we bind to the fabrikam domain using the WinNT provider, that’s exactly the kind of ADsPath we’ll get back. If you’re working strictly with Active Directory then you should use the LDAP provider. But if you’re going to grab an account out of Active Directory and use that account in a local computer group you’ll have to use the WinNT provider.

We know: all this talk of providers and ADsPaths and what-not is making your head spin. But don’t fret too much about that. Instead, just use this script to add a domain user (a user named kenmyer, in the fabrikam domain) to the local Administrators group on the computer atl-ws-01:

strComputer = "atl-ws-01"
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
Set objUser = GetObject("WinNT://fabrikam/kenmyer")

And keep those cards and letters coming in!

Comments (10)

  1. Frede says:

    Note that using the group name "Administrators" will only work on English Windows. This is a localized group name so it will have different names on systems with different languages. You have to get the well-known-sid for the administrators group first and then determine what group name that translates to before you can add users to it. It's stupid to have localized group and user account names if you ask me.

  2. Dan C says:

    But what if I've just joined the domain but am not logged into the domain?  Can the WinNT provider pass login credentials?

  3. J Skinner says:

    So I can just put the above code in my logon.cmd logon script and it should work?

    Or do I need it to be in a vbs script or something else?

  4. sherif says:

    very good but how to use this script

  5. what if we want to add the 'Domain Users' security group to the local admin group.

  6. SamSporty says:

    is there a way to use this script (or some version of it) to add a domain account to the local administrators group on a group of computers?

    Would I have to make an entry for each computer that I need to modify or could I have the script call a list of computer names?

  7. JOSH N says:

    Thank you so much, this was exactly what I needed. I needed to perform some changes in different machines and needed to be login off and adding myself manually all the time. It is OK for 3 to 5 PC’s but not for 100. This script has made my life so much easier and I had to take the time to at least say THANK YOU.

  8. Eloise Brown says:

    I recently created a new facebook group. I am the only administrator at present with the power to approve post. I want other administrator to have almost the same powers. How do I get them listed as administrators so they can relieve me of some of the
    duties? e-mail: HELP!

Skip to main content