How to add a well-known domain-group to a local group?

Question

I am looking for a clean and simple solution (One-Liner?) to add the well-known domain-group Domain Users to a local group like "Direct Access Users".

The command/script will be executed on a Win10-client.
No additional module like "RSAT-AD-PowerShell" should be used for that.
The code should work regardless of OS-language.

I used the following code to add the "Authenticated Users" (= Well-known-SID S-1-5-11) to the local group:

Add-LocalGroupMember -Group "Direct Access Users" -Member S-1-5-11 -Verbose

This works fine, because the SID is static, but the SID for "Domain Users" looks like this S-1-5-21Domain-513 and I want to get the domain-SID dynamic too.

Thank you

Jeroen Mostert · Accepted Answer

I don't see any short way of doing this -- as in, something that will fit in one line "naturally" (you can always just smoosh it together if you really want to, of course). The difficult part seems to be getting the domain SID; once you have that, constructing the well-known SID of the Domain Users group is simple enough. The below uses the computer account to do that; the code could be abbreviated if you were allowed to assume a domain user is running this.

$qualifiedComputerName = [DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Name + "\" + [Environment]::MachineName + "$"
$computerAccount = [Security.Principal.NTAccount]::new($qualifiedComputerName)
$domainSid = $computerAccount.Translate([Security.Principal.SecurityIdentifier]).AccountDomainSid
$domainUsersSid = [Security.Principal.SecurityIdentifier]::new("AccountDomainUsersSid", $domainSid).Value

Add-LocalGroupMember -Group "Direct Access Users" -Member $domainUsersSid -Verbose

How to add a well-known domain-group to a local group?

Answers (2)

Related Questions