Adding Local Users to Local Groups


Summary: Learn how to use Windows PowerShell to add local users to local groups.

Microsoft Scripting Guy, Ed Wilson, is here. Creating local user objects and local group objects is fine, but to be useful, I need to be able to add users to groups. When working with local accounts, I need to use the ADSI type accelerator to facilitate the way things work.

   Note  This is the third in a series of three posts. If you haven't read them already, you might benefit from reading the first two posts before you read this:

Today I add the users to the group.

Connect to the actual group

Adding a user to a group is a bit different than creating a local user or a local group. When I add a user to a group, I need to connect to the group itself. I still need to open the Windows PowerShell console or ISE with Admin rights, but this time the connection is a bit more complicated. I still use the [ADSI] type accelerator, I still use WinNT as my provider, and I still specify the name of the computer. But I also must specify the name of the group and provide a hint that I am connecting to a group. Here is the command:

$group = [ADSI]"WinNT://edlt/mygroup,group"

If the group does not exist, the connection will not fail. In fact, it will actually appear to succeed. The error message will only appear when I try to use the object that I stored in the $group variable. This is shown here:

Image of error message

When I have a connection to an existing group, I call the Add method to add my local user object. The Add method accepts what is called an ADsPath—that is the complete path to the user object, including the WinNT provider. Here is an example of the ADsPath to the mred user that I created the other day:

"WinNT://edlt/mred,user"

There are four parts: WinNT, the computer name, the user account name are required. The fourth part, user, is a hint that is not really required, but it makes things go a bit faster because it tells the provider the type of object I am looking for. Here is the complete Add command:

$group.Add("WinNT://edlt/mred,user")

That is it. Two lines for the complete script:

$group = [ADSI]"WinNT://edlt/mygroup,group"

$group.Add("WinNT://edlt/mred,user")

I open the group in the computer management console, and sure enough, the user is now a member of the group.

Image of menu

That is all there is to using Windows PowerShell to add local users to local groups. Join me tomorrow when I will talk about how to make Windows PowerShell Help always display examples.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Comments (3)

  1. Idan says:

    Is there a way to add a user using powershell, but not to add it to the users group?

  2. Slawek says:

    It also doesn’t work!!!!! Did you test it????????

    $group = [ADSI]"WinNT://edlt/Administratorzy,group"

    $group.Add("WinNT://edlt/Slawomir,user")
    The following exception occurred while retrieving member "Add": "Nie można odnaleźć ścieżki sieciowej.
    "
    At line:3 char:1
    + $group.Add("WinNT://edlt/Slawomir,user")
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : NotSpecified: (:) [], ExtendedTypeSystemException
    + FullyQualifiedErrorId : CatchFromBaseGetMember

    1. CodeKiller says:

      It’s working.

      YOU MUST CHANGE THE VAR NAME !

      “There are four parts: WinNT, the computer name, the user account name are required. The fourth part, user, is a hint that is not really required,”

      Example :

      $group = [ADSI]”WinNT://$env:computername/Administrateurs,group”
      $group.Add(“WinNT://$env:computername/Milamber,user”)

      No error (it’s a FR Windows 10 so group name is not Administrators).

Skip to main content