Reputation: 121
Script to add AD Group to Local Admin Group on multiple servers
##Roji P Rajan
$ErrorActionPreference = "silentlycontinue"
$Domain = Read-Host "`nEnter Domain name to connect"
$UserName = Read-Host "`nEnter AD Group name to add "
$DomName = $domain + "/" + $username
write-host "`n"
foreach($server in (gc .\servers.txt)){
$i= 0
$Boo= 0
if (Test-Connection $server -Count 1 -Quiet) {
$computer = [ADSI](”WinNT://” + $server + “,computer”)
$Group = $computer.psbase.children.find(”Administrators”)
$members = @($group.psbase.Invoke("Members"))
$Check =($members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}) -contains "$UserName"
If ($Check -eq $True) {
write-host "$server`t- Already Member" -foregroundcolor "yellow" }
else {
$computer = [ADSI](”WinNT://” + $server + “,computer”)
$Group = $computer.psbase.children.find(”Administrators”)
$Group.Add("WinNT://" + $domain + "/" + $username)
$mem = ($Group.psbase.invoke(”Members”) | %{$_.GetType().InvokeMember(”Adspath”, ‘GetProperty’, $null, $_, $null)}) `
-replace ('WinNT://DOMAIN/' + $server + '/'), '' -replace ('WinNT://DOMAIN/', 'DOMAIN\') -replace ('WinNT://', '')
$total = $mem.count
Foreach ($member in $mem) {
if ("$member" -eq "$Domain/$UserName"){
write-host "$server`t- Successfully Updated" -foregroundcolor "green"
$Boo = 1 }
$i=$i+1
If ($total -eq $i -And $Boo -eq 0) {
write-host "$server`t- Failed - User not exist or the server is not ready" -foregroundcolor "magenta" }
}
}
}
else {
write-host "$server `t- Failed to connect the Host Name" -foregroundcolor "Red" }
}
write-host "`n"
By using the above set of powershell code i am able to add a specific domain group to local administrative group in multiple servers. But if i run the script from any of the one server which is already in servers.txt, that specific server fails to update.. Can anybody guide me what i missed.. Thanks in advance..
Upvotes: 2
Views: 13344
Answers (3)
Reputation: 11
Here's a link to a simple script that works: https://deepakkhare.azurewebsites.net/powershell-add-remove-multiple-security-groups-on-multiple-windows-servers/
# This script will add multiple groups on multiple servers
# Make sure you have one server in each row in the servers text file
# you must have administrator access on the server
$ServersList = “D:\ServersList.txt”
$ServerNames = get-content $ServersList
$UserGroupFilePath = “D:\SecurityGroup.txt”
$UserGroupList = get-content $UserGroupFilePath
$DomainName =”Enter your domain name here”
foreach ($name in $ServerNames)
{
$localAdminGroup = [ADSI](“WinNT://$name/Administrators”)
# Add all the groups in text file to the current server
foreach ($UserGroupName in $UserGroupList)
{
$AdminsG = [ADSI] “WinNT://$DomainName/$UserGroupName”
$localAdminGroup.Add($AdminsG.PSBase.Path)
Write-Host “Adding” $AdminsG.PSBase.Path “to” $name
} # End of User Group Loop
} # End of Server List Loop
Remove multiple security groups on multiple servers
# This script will delete multiple security groups on multiple servers
# Make sure you have one server in each row in the servers text file
# you must have administrator access on the server
$ServersList = “D:\ServersList.txt”
$ServerNames = get-content $ServersList
$UserGroupFilePath = “D:\SecurityGroup.txt”
$UserGroupList = get-content $UserGroupFilePath
$DomainName =”Enter your domain name here”
foreach ($name in $ServerNames)
{
$localAdminGroup = [ADSI](“WinNT://$name/Administrators”)
# Add all the groups in text file to the current server
foreach ($UserGroupName in $UserGroupList)
{
$AdminsG = [ADSI] “WinNT://$DomainName/$UserGroupName”
$localAdminGroup.remove($AdminsG.PSBase.Path)
Write-Host “remove” $AdminsG.PSBase.Path “to” $name
} # End of User Group Loop
} # End of Server List Loop
Upvotes: 1
Reputation: 1
I did a quick test by updating the local admin group of the server I was using. What is the error message? Can you remove the $ErrorActionPreference = "silentlycontinue" to see if an error is generated?
Here is the sample code:
#Set variables
$Domain = "Contoso"
$UserName = "JohnSmith"
$server = $env:COMPUTERNAME
#Get local admin group
$computer = [ADSI](”WinNT://” + $server + “,computer”)
$Group = $computer.psbase.children.find(”Administrators”)
$CurrentMembers = $Group.PSbase.Invoke("Members") | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
#Add user to local admin group
$Group.Add("WinNT://" + $domain + "/" + $username)
#verify add
$VerifyComputer = [ADSI](”WinNT://” + $server + “,computer”)
$VerifyGroup = $VerifyComputer.psbase.children.find(”Administrators”)
$VerifyMembers= $VerifyGroup.PSbase.Invoke("Members") | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
Upvotes: 0
Reputation: 801
Create a security group for your server administrators to the local group on all of the servers. E.g. "ServerAdmins@domain".
Use a GPO to Enforce and restrict local administrator group membership.
When it is determined that a certain role (RBA) needs ServerAdmin on all servers (your Windows Server Admins for example), add that group to the ServerAdmins group. E.g. Windows Admin Team. Put your administrators in the admins group.
When it is a smaller subset of servers that a RBA group needs access to, create a ExchangeServerAdmins group, add that to the GPO for those servers. The Exchange admins would be in a Exchange Admin Team group. Exchange Admin Team goes in the ExchangeServerAdmins group.
This way you control what groups have access to the servers by GPO, as chosen by Role Based Access. Control over the membership in the groups is controlled by storign those groups where the appropriate people can edit it. You can also delegate this by making team leads owners of their groups.
This also allows temporary rights. If you bring in a consultant who needs Exchange and Lync access, you add him to those teams. When he leaves you take him out. ONE edit coming, one going, both done at the group membership level, easy.
This also dramatically decreases maintenance when you start talking about Enterprise level administration. If you have 10-20, or even 200 servers, you can script out these changes, but what if you have 1000 or more servers?
Upvotes: 0
Related Questions
- Add-ADGroupMember for multiple members from different domains Powershell
- Group Membership of Servers
- How to add the AD Group of another domain to the local administrators of the server in current domain using powershell or CMD
- Adding AD group to another AD group
- Add user to Remote Admin group on multiple hosts
- How to add user to local admin group in Powershell?
- Using foreach to add AD computers to groups
- Powershell Add Local Group to Local Group
- Adding local users to a group of servers
- PowerShell: Add Users to AD and Add them in Groups