How To: Add A Domain Group To The Local Administrators Group On A Domain Controller

There are a very limited number of circumstances when you’d want to do this, most of which are boring & technical (e.g. adding an Exchange 2010 Database Availability Group and using a “Witness Server” of one of your Domain Controllers requires that the “Exchange Trusted Subsystem” domain group be added to the Local Administrators group on the Domain Controller itself)… but here goes anyway…

You’ll notice that if you use a “net localgroup administrators /add DOMAIN\Group” that the command fails with a syntax error.  Some folks say that this is because of a limitation on the length of the group name, but I call shenanigans on that explanation.  At any rate, you’ll slam your head against your desk for a while, until you do the following:

1) Open up Notepad

2) Paste in the following lines, substituting [DOMAINNAME] and [DOMAINGROUPNAME] as necessary:

Set objLocalGroup = GetObject("WinNT://./Administrators")

Set objADGroup1 = GetObject("WinNT://DOMAINNAME/DOMAINGROUPNAME")

objLocalGroup.Add(objADGroup1.ADsPath)

Set objLocalGroup = Nothing

Set objADGroup = Nothing

3) Go to File > Save As, and save it on your Desktop as “script.vbs”

4) Go to Start and type in cmd, then right-click on cmd and choose “Run as Administrator”:

   

5) CD to your Desktop and then run the command: “cscript script.vbs” as in the example below, and once the script runs, do a “net localgroup administrators” to verify that the script added the requested group properly:

   

As you can see, the script works :-)

views