I ran into a situation last week where I needed to add a user to the Administrators group on a whole bunch of remote servers. Having had serious problems with cubital tunnel I try to avoid mouse clicks as much as possible, and anyway this is one of those situations that PowerShell is great for.
After a little trial and error I put together a script. The script doesn’t accept any pipelining, rather it will prompt you for the values (old school).
When asked enter the name of the local group (you don’t always want to add people to Administrators after all). Then the AD user or group name (include the domain for example PRODSomeAccount). Finally a comma separated list of servers to add the account to. Yes, I could have done this with a text file or something like that, but this is to be used as a quick thing and it’s easier to just type a list of servers in rather than create a file every single time you run it.
Once those three things have been entered the script will go out, check to see if the AD user/group already exists in that server group. If it exists you’ll get a warning that it’s already there, otherwise it will add the user/group to the local server group. There’s also a quick check to see if the server is available, if not you’ll get an error for that particular machine, it will continue to work on the others.
Of course the account you execute this script as will have to have the relevant permissions on the remote servers to allow you to add the user/group.
<#
.SYNOPSIS
Adds a domain user or group to a local Windows group on a local or remote server
.DESCRIPTION
This script can be used in the event you need to add a domain user or group to a local Windows server group.
It's real strength comes in being able to enter a comma delimited list of servers so that you can add the same domain user/group to multple machines quickly and easily.
The user executing the process will require the rights on the remote machines to be able to add the accounts.
Contains basic error handling to check if the server is reachable, if the group exists and if the user is already a member of the group.
.PARAMETER <paramName>
No parameters, script file will ask for input
#>
$usrName = (Read-Host "Enter the domain account or group that you wish to add to the local server group (eg PRODMyAccount)")
$grpName = (Read-Host "Enter the server group name that the user should be added to (eg Administrators)")
$srvList = (read-host "Enter a comma delimited list of servers (eg SrvA, SrvB)").split(",")
Write-Host ""
$Exists = 0 #Initialize the Exists variable which is used to see whether or not users should be added to groups
foreach ($srvName in $srvList)
{
$srvName = $srvName.Trim().ToUpper() #Gets rid of spaces
try
{
if([ADSI]::Exists("WinNT://$srvName/$grpName,group")) #Check to see if the group exists
{
#Set the comparison string for the account to add
$usrName = $usrName -replace "", "/"
$chkOutput = "WinNT://$usrName"
#Write-Output "Checking for $chkOutput"
$group = [ADSI]("WinNT://$srvName/$grpName,group")
$group.Members() |
% {
$AdPath = $_.GetType().InvokeMember("Adspath", 'GetProperty', $null, $_, $null)
#Write-Output $AdPath
if ($AdPath -ilike $chkOutput)
{
Write-Warning "User $usrName already a member of the $grpName group on $srvName"
$Exists = 1 #This way we won't try to add an account twice
}
}
if ($Exists -eq 0)
{
Write-Output "Account $usrName does not exist in the local $grpName group on $srvName. Adding now..."
$group.add("WinNT://$usrName,user") #Add the account to the local server group
$Exists = 0 #Reset the Exists variable ready for the next server
}
}
else
{
Write-Warning "The $grpName group does not exist on server $srvName."
}
}
catch { Write-Error "Server $srvName was unreachable." }
}
SirSQL.net 
Excellent and well written script which worked fine, thanks.
LikeLike