Create server/clients admins groups

Need help to automate one manual process we have here, when a new server is installed we have one job to create a new server admins group and add it a existing server admins group. How can we automatic do this job through a script with a txt input file?

Script should do:
Create a new servername.admins domain group. The new group should be member of an already existing group called winservers.admins and add this new group to the local administrators group on the new server

Well, this forum isn’t really about writing a script for you, but we’re happy to try and answer questions! Did you have a specific question you wanted to start with?

Also find prewritten scripts here:

Learn PowerShell:

Script requests:

Yes i understand that you cant deliver a finish script for me. I just need guidelines how to start, havent got deep knowledge in powershell

Get-Command -Noun *localGroup* | Get-help
for the local group part and
Get-Command -Name *adgroup* | Get-Help
for the AD group part.

That’s why I recommended to learn Powershell. There you would have learned how to search for command or for help. :wink:

So in theory you could have a text or csv file with the group names in it, get-content or import-csv is the command you want for that.

New-Adgroup will create your groups

Add-Adgroupmember Will add your new group to the current winservers.admins

Depending on what version of powershell you are running you can use Add-Localgroupmember to add your domain group to the local admins group on the server, or you would need to use the old net commands i.e net localgroup.

I did it after some google and get-help

[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null
$grp = [Microsoft.VisualBasic.Interaction]::InputBox("Enter a group name", "Group", "$env:GroupName")
$dspr = [Microsoft.VisualBasic.Interaction]::InputBox("Enter a Description", "Description", "$env:Description")
New-ADGroup $grp -GroupScope DomainLocal -GroupCategory Security -Path "ou=Groups,ou=C1,DC=domain,dc=int" -Description $dspr
Start-Sleep -Seconds 9
Get-ADGroup $grp
Add-ADGroupMember -Identity $grp -Members ServerAdmins 

You can use powershell to get those variables without using VB


$group = Read-Host “Enter group name”

Also the below code is a bit redundant

Get-ADGroup $grp
Add-ADGroupMember -Identity $grp -Members ServerAdmins

You can do this instead

Add-ADGroupMember -Identity $grp -Members ServerAdmins

I use Visual basic to get a popup-window to type in the name, yes i know about

Get-ADGroup $grp
Add-ADGroupMember -Identity $grp -Members ServerAdmins

I just wanna get a confirm about the new group, now i have to solve the local administrators membership

I have tried to make local administrators add to work with this, but it wont work

$dgrp = $grp
$localgrp = "Administrators"
$client =  [Microsoft.VisualBasic.Interaction]::InputBox("Enter a Server name", "Group", "$env:computername")
$domain = $env:USERDOMAIN


Did you look into any of the commands I mentioned earlier? net localgroup and add-localgroupmember?

If you have powershell remoting enabled you could so something like

Invoke-Command -ComputerName $computername -scriptblock {net localgroup administrators "domain\group" /add} 

or if you have PS 5.1 installed on the servers

Invoke-Command -ComputerName $computername -scriptblock {Add-Localgroupmember -Group Administrators -member "domain\group"} 

I have tried net localgroup but i have to add the group $grp that i create in earlier in the script
like net localgroup Administrators “domain$grp” or “$grp” /add but will this ever work?

Assuming you are running all of this from the same script, yes you can pass that $grp variable into net local command.

Invoke-Command -ComputerName $computername -scriptblock {net localgroup administrators "domain\$grp /add"}

Script is adding a domain local group to a global group, script cannot add the domain local group to local administrators, but if i change it to the nested global group it works.

Hi Again.
Im still struggle with this, i can create the group and get the nesting working, but when to add the new group to local Administrators it halt.
Script looks like this:

[System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') | Out-Null
$grp = [Microsoft.VisualBasic.Interaction]::InputBox("Fyll i gruppnamn", "Group", "$env:GroupName")
$dspr = [Microsoft.VisualBasic.Interaction]::InputBox("Fyll i beskrivning", "Description", "$env:Description")
$comp = [Microsoft.VisualBasic.Interaction]::InputBox("Fyll i Datornamn", "Computer", "$env:ComputerName")

New-ADGroup $grp -GroupScope DomainLocal -GroupCategory Security -Path "ou=Groups,ou=domain,DC=domain,dc=int" -Description $dspr
Start-Sleep -Seconds 15
Get-ADGroup $grp
Add-ADGroupMember -Identity $grp -Members NewAdmins
Start-Sleep -Seconds 11
#$DomainName = Get-ADDomain
#Get-Host $comp
$AdminGroup = [ADSI]"WinNT://$Comp/Administrators,group"
$grp = [ADSI]"WinNT://$DomainName/$grp,group"

When running this script i get error:
Exception calling “Add” with “1” argument(s): "An invalid directory pathname was passed
At line:16 char:1

  • $AdminGroup.Add($grp.Path)
  •   + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
      + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI</em>

Have try using

Invoke-Command -ComputerName $computer -scriptblock {net localgroup "administrators" "domain\$grp" /add}

Instead of ADSI,Get error
“NotSpecified: (The syntax of this command is::String) , RemoteException”

When i skip the VB style and just use read-host and put in some vaules in $DomainName i got the script working