Adding long domain group to local administrators group

[jagablack]

Hi Doug/All,

I am trying to add a domain group to a local group via BatchPatch.

I tried net localgroup but it doesn’t work because:

“The NET.EXE command does not support names longer than 20 characters for reasons of backward compatibility with LAN Manager 2.0.”

Wondering if you had run into this and had Powershell or other option for this via BatchPatch since net localgroup is coming up short.

Thanks!

[jagablack]

Actually I found a method outside of BatchPatch using Powershell,

`function ListAdministrators($Group)<br />

{<br />

$members= $Group.psbase.invoke(“Members”) | %{$_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null)}<br />

$members<br />

}</p>

<p>function Ping-Server {<br />

Param([string]$srv)<br />

$pingresult = Get-WmiObject Win32_PingStatus -Filter “Address=’$srv'”<br />

if($pingresult.StatusCode -eq 0) {$true} else {$false}<br />

}</p>

<p>if ($args.Length -ne 2) {<br />

Write-Host “`tUsage: “

Write-Host “t`t.AddToLocalAdmin.ps1 < group or user > <file of machines>”

Write-Host “ttExample: .AddToLocalAdmin.ps1 FooBarGroup c:tempmymachines.txt”

return

}

#Your domain, change this

$domain = “putdomainnamehere”

#Get the user to add

$username = $args[0]

#File to read computer list from

$strComputers = Get-content $args[1]

foreach ($strComputer in $strComputers)

{

if (Ping-Server($strComputer)) {

$computer = [ADSI](“WinNT://” + $strComputer + “,computer”)

$Group = $computer.psbase.children.find(“administrators”)

# This will list what’s currently in Administrator Group so you can verify the result

write-host -foregroundcolor green “====== $strComputer BEFORE =====”

ListAdministrators $Group

write-host -foregroundcolor green “====== BEFORE =====”

# Even though we are adding the AD account

# It is being added to the local computer and so we will need to use WinNT: provider

$Group.Add(“WinNT://” + $domain + “/” + $username)

write-host -foregroundcolor green “====== $strComputer AFTER =====”

ListAdministrators $Group

write-host -foregroundcolor green “====== AFTER =====”

}

else

{

write-host -foregroundcolor red “$strComputer is not pingable”

}

}

You feed it the user or groupname and a text file of the list of machines.

Perhaps you could help feed this into BatchPatch.

If not I understand, but just wanted to ask and then share.

PS C:tools> .AddToLocalAdmin.ps1 testgroupname c:toolsservers.txt

[doug]

Jeremy – Maybe try the suggestion at this page:

https://stackoverflow.com/questions/12112182/how-to-add-a-group-with-long-name-to-local-group-from-command-prompt-or-batch-fi

It suggests the following command, which should be runnable directly from the cmd prompt, which means that it should also be runnable directly from the remote command field in BP. I have not tried it, so let me know how it goes:

powershell -command "& { ([adsi]'WinNT://./your-local-group,group').Add('WinNT://YOURDOMAIN/your-really-long-global-group-name,group'); }"

-Doug

[jagablack]

I got access denied. I think I will just run with the other method in the interest of time though.

Exception calling “Add” with “1” argument(s): “Access is denied.

“

At line:1 char:5

+ & {

([adsi]’WinNT://./administrators,group’).Add(‘WinNT://mydom/mydomgroupname

…

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~

+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException

+ FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI

[doug]

OK, sounds good. If I get a chance to do some testing later, I’ll report back here.

Thanks,

Doug

[Author]

Posts