Using BatchPatch to Modify Local Group Membership on Multiple Remote Computers

Today I’m going to demonstrate how to use BatchPatch to perform a routine task that administrators have to complete periodically, which is to edit the group membership of a particular local group on multiple computers. The cool thing with BatchPatch is that you can do all of the computers in a single shot.

To perform the actual group membership change we’re going to use the ‘Net localgroup‘ command that’s built in to Windows. However, we’ll use BatchPatch to execute the required commands, which enables us to target numerous remote computers at one time. For reference we will be using some of the commands outlined here.

  1. First let’s make a quick configuration change. Under ‘Tools > Settings Remote Execution’ let’s change the ‘Remote execution context’ to ‘Elevated token’ for ‘Remote process/command (logged output).’ The default configuration is set to use SYSTEM, which works best for most situations, but there are some situations that could require a different execution context, and this is one of those times. If you try to execute a ‘Net localgroup’ command under the SYSTEM context, it may work or you may get an error, depending on the account that is being used and the target system configuration. However, using ‘Elevated token’ should work for all scenarios (unless, of course, the account you are using simply does not have the necessary permissions needed to change the group membership on the target computer).

    IMPORTANT: When specifying alternate credentials with PsExec version 2.32+, to use ‘Elevated token’ (or any option that is not SYSTEM) you will need to additionally select the -i (interactive) option. However, older versions of PsExec can use alternate credentials with ‘Elevated token’ without also using -i (interactive). If you use PsExec v2.32+ and receive a 1385 exit code, try enabling -i (interactive).
  2. net localgroup GroupName displays a list of users or global groups in a local group, so let’s start by listing out the users/groups contained in our local administrators group on the target computers. To do that I clicked on ‘Actions > Execute remote process/command > Create/modify remote command 3 (logged output)’. In the remote process window I typed ‘net localgroup administrators’ and then clicked ‘Execute’ so that the command would run on the highlighted computers in the grid.

  3. If we want to remove ‘johndoe’ from the administrators group, we can run ‘net localgroup administrators johndoe /delete’


  4. Similarly, if we want to add an account or global group to the local group, we do it with ‘net localgroup administrators johndoe /add’


  5. That’s all there is to it. If you want to execute this on many computers, simultaneously, all you have to do is highlight the desired rows in your BatchPatch grid before clicking the ‘Execute’ button!
This entry was posted in Blog, General, Tutorials and tagged , , . Bookmark the permalink. Both comments and trackbacks are currently closed.