Powershell script to dynamically create Local Admin Groups

Standard

Last week I was looking for a way to create Local Admin groups for each computer in a OU. First I tried to do this with a batch script. But after some scripting I thought ‘Batch scripting is old, let’s do it with Powershell’. That said, I rewrited the script to powershell and below the result:

$ou    = [ADSI]"LDAP://OU=Computers,DC=DOMAIN,DC=LOCAL"
$ou1   = [ADSI]"LDAP://OU=Security,DOMAIN,DC=LOCAL"
$groupexists  = 0
$groupadded  = 0

foreach ($child in $ou.psbase.Children ) {  
if ($child.ObjectCategory -like '*computer*') {
$name = $child.Name
$groupname    = "LocalAdmin_" + $name
$groupdescription = "Local Administrator Group for " + $name

   foreach ($child1 in $ou1.psbase.Children ) {

  if (($child1.ObjectCategory -like '*group*') -and ($child1.sAMAccountName -eq $groupname) ) {
     $groupexists++
    } else {
     $objGroup = $child1.Create("group", "CN=" + $groupname)
     $objGroup.psbase.InvokeSet("groupType", -2147483648 + 2)
     $objGroup.Put("sAMAccountName", $groupname )
     $objGroup.Put("description", $groupdescription )
     $objGroup.SetInfo()
     $groupadded++
    }
   }
  }
}
write-host 'Total Added Groups :'$groupadded
write-host 'Total Exists Groups :'$groupexists

But the above script was giving me a very annoying error:

Exception calling "SetInfo" with "0" argument(s): "There is a naming violation. (Exception from HRESULT: 0x80072037)" At C:test.ps1:11 char:22 +                 $objGroup.SetInfo <<<< ()     + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException     + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI

I did some debugging of the error and tried different ways of creating the group. But none of them was resulting in a working group. I decided to fire some ‘googles’ but none of them was resulting in a fix. So my last option was to post te script on the Microsoft Social Technet forum and ask the community to fire on the script. And yes, someone gived me the right direction and it results in a working script. Below you can find the working version:

$ou    = [ADSI]"LDAP://OU=Computers,DC=DOMAIN,DC=LOCAL"
$ou1   = [ADSI]"LDAP://OU=Security,DOMAIN,DC=LOCAL"

$groupexists  = 0
$groupadded  = 0
foreach ($child in $ou.psbase.Children ) {
 if ($child.ObjectCategory -like '*computer*') {
   $name   = $child.Name
   $groupname  = "LocalAdmin_" + $name
   $groupdescription = "Local Administrator Group for " + $name

   Write-Host "Name: $($name)"
   Write-Host "GroupName: $($groupname)"

  If (![adsi]::Exists("LDAP://CN=$groupname,OU=Security,DOMAIN,DC=LOCAL")) {
   $objGroup = $ou1.Create("group", "CN=" + $groupname)
   $objGroup.psbase.InvokeSet("groupType", -2147483648 + 2)
   $objGroup.Put("sAMAccountName", $groupname )
   $objGroup.Put("description", $groupdescription )
   $objGroup.SetInfo()
   $groupadded++
  } else {
   $groupexists++
  }
 }
}
write-host 'Total Added Groups :'$groupadded
write-host 'Total Exists Groups :'$groupexists

Thanks to Boe Prox for giving me the right direction!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.