Writing User in Local Remote Desktop Users without comare with AD

Hey Guys,

i have a particular problem that i am struggeling to solve.

I am running a script as local administrator (needs to be), where i am writing a given AD-User into local Remote Desktop Users. But because i am local administrator, the AD wont let me write it.
Our AD is very strict, so it only talks with ad users. // it can not be a hard written tec user, because of security reasons…
Is there a way to only write the Name, without matching with the ad, if it exists?

I hope you can understand what i am trying to tell… English is not my Mother language…

Here is the Part from my scipt:

# I built a litte Overlay where you can write in the user, that should be able to connect with rdp
                # resolve name of group with static sid S-1-5-32-555 = Remote Desktop Users
                $objSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-555")
                $Group = (($objSID.Translate([System.Security.Principal.NTAccount]) ).Value).Split("\")[1]
                # get local domain
                $domain = $env:USERDOMAIN
                # get username
                $user = $TextBox1.Text

                foreach($user in $TextBox1.Text){
                try {
                    # add user to windows group
                    $de = ([ADSI]"WinNT://localhost/$Group,group").Add("WinNT://$domain/$user")

                    # refresh userlist

                    # display short information that adding user was successfull
                    $TextBoxStat.Text = "Erfolgreich hinzugefügt"
                    Start-Sleep -Seconds 1
                    $TextBoxStat.Text = ""   
                } catch {
                    # display info about failure
                    $TextBoxStat.Text = "User konnte nicht der lokalen Windows-Gruppe hinzugefügt werden"
                    Start-Sleep -Seconds 2
                    $TextBoxStat.Text = ""

I just tested it and it works just as expected with Add-LocalGroupMember for a local administrator. … at least in my environment.

Hm i tryd that too, but unfortunally it wont write it into the rdp group…
need to sleep over that, maybe i find the solution tomorrow…

Had some problems in the rest of the script, that i could solve now.
@Olaf The idea was great, didnt know that you can write in usernames without checking with ad like this.
Thanks for your help!

Cool. I’m glad it helped. :+1:t4: :smiley:

1 Like