Use Powershell to Get, Add, Remove users from local groups

Table of Contents
. Local Groups manipulation of Members and Users in Powershell
. Get-LocalGroupMember Cmdlet
. Add-LocalGroupMember Cmdlet
. Remove-LocalGroupMember Cmdlet
. Real Life example of Get-LocalGroupMember and Add-LocalGroupMember

Local Groups manipulation of Members and Users in Powershell

This is simple set of Powershell Cmdlets and straightforward, hence without too much properties. They are all about Local Group Member manipulation – Get members, Add and Remove. In addition, we will cover remote execution of the Cmdlets, in order to manipulate Local Groups on the remote computers.

Get-LocalGroupMember Cmdlet

Get-LocalGroupMember Is a Cmdlet that gets objects / members of a particular local group of the current system / computer. If you want to know all the members of the “Administrators” group use:

Get-LocalGroupMember -Group "Administrators"

If you want to know if a particular user of your domain is in the local “Administrators” group:

Get-LocalGroupMember -Group "Administrators" -Member "DOMAIN\UserName"

The Member property should be with the domain included. If you will not include the domain, it will give you an error:

Get-LocalGroupMember : Principal UserName was not found

Even though the user is in the group.
You can execute the Cmdlet to know the members of the “Administrators” group of the remote computer as well:

# Specify here the name of the remote computer that you want to check the group members on.
$Computer = "Kitchen001"
# Get-Credentials for the remote execution, there is a chance that it will not work without some basic administrative rights.
$Credential = Get-Credential
# Invoke the command within a ScriptBlock
Invoke-Command -ComputerName $Computer -Credential $Credential -ScriptBlock { 
    Get-LocalGroupMember -Group "Administrators"

More examples with remote computer command execution are in Powershell Invoke-Command Cmdlet Usage.

Add-LocalGroupMember Cmdlet

Add-LocalGroupMember Is a Cmdlet that can add objects (Active Directory Groups, Azure Groups) / members to a particular local group of the current system / computer. If you want to add a particular member of your domain to the “Administrators” group:

$User = "DOMAIN\UserName1"
Add-LocalGroupMember -Group "Administrators" -Member $User

You can add several users at once:

Add-LocalGroupMember -Group "Administrators" -Member "DOMAIN\UserName1", "DOMAIN\UserName2", "DOMAIN\UserName3"

You also can add Computer accounts. If your computer / server name is, “OperationServer001” and it should have Local Administrative rights on a particular computer:

# Define Computer account as variable
$ServerAccount = "Domain\OpServer001$"
# Now add the computer account to the Local "Administrators” group:
Add-LocalGroupMember -Group "Administrators" -Member $ServerAccount

Now let us invoke this command on the remote computer:

$Computer = "Kitchen001"
$Credential = Get-Credential
$ServerAccount = "Domain\OpServer001$"

Invoke-Command -ComputerName $Computer -Credential $Credential -ArgumentList $ServerAccount -ScriptBlock { 
    Add-LocalGroupMember -Group "Administrators" -Member $args[0]

$args[0] is the usage variable inside the script block of the Invoke-Command. More is in our Powershell Invoke-Command guide.

Remove-LocalGroupMember Cmdlet

Remove-LocalGroupMember Is a Cmdlet that can remove objects (Active Directory Groups, Azure Groups) / members from a particular local group of the current system / computer. You can remove several users at once:

Remove-LocalGroupMember -Group "Administrators" -Member "DOMAIN\UserName1", "DOMAIN\UserName2", "DOMAIN\UserName3"

We can execute this on remote computers with a help of Invoke-Command cmdlet. The example is above in other Cmdlets that are listed on this page. The closest example would be of Add-LocalGroupMember.

Real Life example of Local Groups manipulation in Powershell with Get-LocalGroupMember and Add-LocalGroupMember

# This is "Fully Qualified Domain Name (FQDN) of your subdomain
# (in this example it is subdomain, but it also can be a regular domain with only two parts).
# Mostly it will be used in a script with many features, so you need to have different
# variations of your Operation Server name throughout the script.

$Domain = ""

# Next variable uses the subdomain name with FQDN, splits it at first "." sign and
# gets only the first part, which is "subdomain". Each operation of split, populates an
# array with split objects (like: "" will be 
# "$Array[0] = subdomain", "$Array[1] = domain", "$Array[2] = com").
# So "split('.')[0]" is the first part of the string.

$DomainNoFQDN = $Domain.split('.')[0]

# Next we'll define our Operation Server that will execute scripts on the remote computer

$Server = "OpServer001"

# Now we need to define the Computer Account with "$" sign.
# Off course this manipulation is only valid with variables of String type.
# Also we need to add our subdomain or domain in order to have full account name in the domain.

$ServerAccount = "$DomainNoFQDN\$Server$"

# This expression will result in "subdomain\OpServer001$". Or if it is a regular
# "" it will result in "domain\OpServer001$". These manipulations are important in
# order for your script to stay as dynamic as possible.
# Also you could use Full Server Name if you needed with:

$ServerNameFull = $Server + "." + $Domain

$Computer = "Kitchen001"
$Credential = Get-Credential

# We could use a function with Try and Catch, but we wanted to simplify the code for better understanding of the Cmdlets.
# The next block is getting all the Cmdlets that will be executed more than once.
# To find the Server account in remote computer Local Administrators Group.

$GetTheAccounts = {
    Write-Host "Checking if the account $ServerAccount is in Local Administrators group on $Computer"
    Invoke-Command -ComputerName $Computer -Credential $Credential -ArgumentList $ServerAccount -ScriptBlock { 
        Get-LocalGroupMember -Group "Administrators" -Member $args[0] -Verbose

# Get the result of the command into a variable. It will be empty if the Server account will not be found.

$ServerAccountCheck = Invoke-Command $GetTheAccounts

# If the $ServerAccount wasn't found in the Local Administrators group
If ($ServerAccountCheck.Name -ne $ServerAccount) {
    Write-Host "Adding $ServerAccount account to Local Administrators group on $Computer"
    # Then add the Server account to the Local Administrators group on the remote computer
    Invoke-Command -ComputerName $Computer -Credential $Credential -ArgumentList $ServerAccount -ScriptBlock { 
        Add-LocalGroupMember -Group "Administrators" -Member $args[0]

    # Now, we'll check again if the Add-LocalGroupMember Cmdlet worked and the Server account was really added.
    $ServerAccountCheck = Invoke-Command $GetTheAccounts

    # If the Server account wasn't added, then apparently there is a problem that needs to be fixed first.
    # Before the rest of the script that depends on this action will continue.
    If ($ServerAccountCheck.Name -ne $ServerAccount) {
        # Output error message
        Write-Host "Apparently there is some problem adding $ServerAccount as Local Administrator. Try checking persmissions."
        # and stop the execution.
    } Else {
        # If the second check was successful then the script can continue
        Write-Host "The account $ServerAccount was added to Local Administrators group on $Computer"
} Else {
    # If the first check was successful, then the Server account is already in the Local Administrator's group
    # Nothing needs to be done.
    Write-Host "The account $ServerAccount is already in Local Administrators group on $Computer"

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.