Using the WinNT Provider: Add/Remove a Local Admin


ADSI (Active Directory Service Interfaces) has a few providers. The most popular one is LDAP. However, LDAP cannot work with any local computer objects. For this purpose you can use WinNT provider.  The PowerShell command can look like this:

$AdminGroupName =[adsi]”WinNT://ComputerName/Administrators, Group”

This command retrieves an object containing the local administrators group. The script below uses the WinNT provider to add an AD object to the local administrators group.

Replacing $Group.Add($ADSILine) > $Null with $Group.Remove($ADSILine) > $Null allows you to remove the AD object form the group

############################################################
#####  Adding a user/computer/group into
#####  local Administrators group
############################################################
#####  Andrew Karmadanov, March 17, 2009
############################################################
FUNCTION ListAdminGroupMembers
{
Write-Host
Write-Host (“Current members of Administrators group on ” + $ComputerName) -foregroundColor $InfoMessage
$AdminGroupName = ‘WinNT://’ + $ComputerName + ‘/Administrators, Group’
$AdminGroup = [adsi]$AdminGroupName
ForEach ($Member in $AdminGroup.Members())
{
$AdminName = $Member.GetType().InvokeMember(“AdsPath”,”GetProperty”,$null,$member,$null)
$AdminName = [string]::Join([char]92,$AdminName.Split(“/”)[-2..-1])
Write-Host $AdminName
}
}

############################################################
FUNCTION ObjectClassSearch($ObjectName)

{
$Root = [adsi]””
$Searcher = new-object System.Directoryservices.DirectorySearcher($Root)
$Filter = “(|(SAMAccountName=” + $ObjectName +”)(Name=” + $ObjectName +”))”
$Searcher.Filter = $Filter
$SearchResult = $Searcher.findall()

ForEach ($Object in $SearchResult)
{
ForEach ($Class in $Object.Properties.objectclass)
{
if (($Class -eq “group”) -or ($Class -eq “user”) -or ($Class -eq “computer”))
{return $Class}
}
}
return $Null
}

############################################################
####    MAIN LOOP
############################################################

$InfoMessage = “DarkBlue”
$ErrorMessage = “DarkRed”

Write-Host
Write-Host “This script will add a domain user/computer/group” -foregroundColor $InfoMessage
Write-Host ” to a local admin group on a specified computer” -foregroundColor $InfoMessage
Write-Host

$ComputerName = (Read-Host “Enter a computer name”).ToUpper()
Write-Host “Checking the computer…” -noNewLine
$Filter = “Address=” + [char]34 + $ComputerName + [char]34
$PingStatus = Get-WMIObject Win32_PingStatus -Filter $Filter
if (($PingStatus -eq $Null) -or ($PingStatus.StatusCode -ne 0))
{
Write-Host ($ComputerName + ” is not pingable”) -foregroundColor $ErrorMessage
return
}
Write-Host “OK”
Write-Host

$CurrentComputer = Get-WMIObject Win32_ComputerSystem
$DomainName = $CurrentComputer.Domain
Write-Host “Enter a user/computer/group name only. ”
$ObjectName = (Read-Host (“Domain name (” + $DomainName + “) will be added automatically”)).ToUpper()
$ObjectClassName = ObjectClassSearch($ObjectName)
if ($ObjectClassName -eq $Null)
{
Write-Host ($ObjectName + ” has not been found in ” + $DomainName + ” domain”) -foregroundColor $ErrorMessage
return
}

$ADSILine = “WinNT://” + $ComputerName + “/Administrators, group”
$Group = [adsi]$ADSILine

Write-Host
Write-Host $ObjectName.ToUpper() -foregroundColor $InfoMessage -noNewLine
Write-Host ” will be added to ” -noNewLine
Write-Host “Administrators” -foregroundColor $InfoMessage -noNewLine
Write-Host ” group on ” -noNewLine
Write-Host $ComputerName -foregroundColor $InfoMessage
$Answer = Read-Host (” Please confirm (Y/N)?”)
if (($Answer -eq “”) -or ($Answer.ToUpper().Substring(0,1) -ne “Y”))
{return}

$ADSILine = “WinNT://” + $DomainName + “/” + $ObjectName + “, ” + $ObjectClassName
$Group.Add($ADSILine) > $Null
ListAdminGroupMembers

Advertisements

One Response to Using the WinNT Provider: Add/Remove a Local Admin

  1. backlink directory…

    […]Using the WinNT Provider: Add/Remove a Local Admin « Notes of Windows Admin[…]…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: