Remote PowerShell Script to Add Domain User to Local Administrators Group with Admin Credentials


2 views

When managing multiple machines in a domain environment, you may need to grant temporary administrative privileges to domain users on specific workstations. This is particularly common in helpdesk scenarios or when deploying software that requires elevated permissions.

Before proceeding, ensure you have:

  • Local administrator credentials for the target machine
  • PowerShell remoting enabled (WinRM) on the target
  • Proper network connectivity and firewall rules
  • Sufficient Active Directory permissions

Here's a robust PowerShell script that accomplishes this task:


# Define parameters
$computerName = "TARGET-PC01"
$domainUser = "DOMAIN\username"
$localAdmin = "Administrator"
$localAdminPassword = ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ("$computerName\$localAdmin", $localAdminPassword)

try {
    # Establish remote session
    $session = New-PSSession -ComputerName $computerName -Credential $credential
    
    # Execute command remotely
    Invoke-Command -Session $session -ScriptBlock {
        param($domainUser)
        Add-LocalGroupMember -Group "Administrators" -Member $domainUser
    } -ArgumentList $domainUser
    
    Write-Output "Successfully added $domainUser to local Administrators group on $computerName"
}
catch {
    Write-Error "Failed to add user: $_"
}
finally {
    if ($session) { Remove-PSSession $session }
}

Using WMIC


wmic /node:TARGET-PC01 /user:Administrator /password:P@ssw0rd123 process call create "net localgroup Administrators DOMAIN\username /add"

Batch File Approach


@echo off
set computer=TARGET-PC01
set admin=Administrator
set pass=P@ssw0rd123
set domainuser=DOMAIN\username

psexec \\%computer% -u %computer%\%admin% -p %pass% net localgroup Administrators %domainuser% /add

When implementing this solution:

  • Always use secure methods to store and transmit credentials
  • Consider implementing Just-In-Time administrative access
  • Log all privilege elevation actions
  • Remove temporary administrative access when no longer needed

Common issues and solutions:

  • Access denied: Verify credentials and UAC settings
  • WinRM not configured: Run 'Enable-PSRemoting -Force' on target
  • Firewall blocking: Ensure port 5985 (HTTP) or 5986 (HTTPS) is open
  • Group Policy restrictions: Check for policies limiting local admin modifications

Before proceeding, ensure you have:

  • Administrative credentials for the remote machine
  • PowerShell remoting enabled on target computers
  • Proper network connectivity and permissions

The most efficient way to add domain users to local admin groups remotely is through PowerShell. Here's a complete example:


# Single machine operation
$credential = Get-Credential
Invoke-Command -ComputerName "TARGET-PC" -Credential $credential -ScriptBlock {
    Add-LocalGroupMember -Group "Administrators" -Member "DOMAIN\username"
}

When dealing with multiple computers, use this approach:


$computers = "PC1","PC2","PC3"
$credential = Get-Credential

foreach ($computer in $computers) {
    try {
        Invoke-Command -ComputerName $computer -Credential $credential -ScriptBlock {
            Add-LocalGroupMember -Group "Administrators" -Member "DOMAIN\username" -ErrorAction Stop
        }
        Write-Host "Successfully added user on $computer" -ForegroundColor Green
    }
    catch {
        Write-Host "Failed to add user on $computer : $_" -ForegroundColor Red
    }
}

For systems without PowerShell 5.1+, you can use the classic net commands:


$computer = "TARGET-PC"
$adminPass = ConvertTo-SecureString "LocalAdminPassword" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ("Administrator", $adminPass)

Invoke-Command -ComputerName $computer -Credential $credential -ScriptBlock {
    net localgroup Administrators "DOMAIN\username" /add
}

Always verify the changes:


Invoke-Command -ComputerName "TARGET-PC" -Credential $credential -ScriptBlock {
    Get-LocalGroupMember -Group "Administrators" | Where-Object {$_.Name -like "*username*"}
}
  • Always use secure methods to handle credentials
  • Consider using Just-In-Time administration instead of permanent membership
  • Log all administrative actions for audit purposes

If you encounter "Access Denied" errors:

  1. Verify the credentials have local admin rights on target machines
  2. Check if PowerShell remoting is enabled (Test-WSMan)
  3. Ensure the domain user exists and is spelled correctly