Search code examples
windowspowershelltry-catchadminlocal

Issues adding a local user to the administrators group via a powershell script

I've been assigned with a task to make the following script:

  • Check if the account exists
  • If not, create an account
  • Check if an account is part of local admins
  • If not, add to the local admins group
  • Generate a random password
  • Set the account password to a random password

Where I am having issues is checking if the account exists and if it does then it should be part of the local admins group. When trying to add the user in via the powershell script I get errors of:

The 'Administrators' group members are null.
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException

Here is the script so far.

try {
    # Check if the account exists
    $username = "chappie"
    $user = Get-LocalUser -Name $username
    # If not, create an account
    if (!$user) {
        New-LocalUser -Name $username -NoPassword -FullName "Chappie User" -Description "Chappie user account"
        $user = Get-LocalUser -Name $username
    }
}
catch {
    if ($_) {
        Write-Error "Error creating user account: $_"
    }
    return
}

try {
    # Check if an account is part of local admins
    $adminGroup = Get-LocalGroup -Name "Administrators"
    if (!$adminGroup) {
        Write-Error "The 'Administrators' group object is null."
        return
    }
    if ($adminGroup.Members -eq $null) {
        Write-Error "The 'Administrators' group members are null."
        return
    }
    $admin = $adminGroup.Members | Where-Object { $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null) -eq "Chappie" }
    # If not, add to the local admins group
    if (!$admin) {
        $user = Get-LocalUser -Name "Chappie"
        if (!$user) {
            Write-Error "The 'Chappie' user object is not found."
            return
        }
        $userPrincipal = $user.SID
        if (!$userPrincipal) {
            Write-Error "The 'Chappie' user principal is null."
            return
        }
        $adminGroup.Invoke("Add", $userPrincipal.Value)
    }
}
catch {
    if ($_) {
        Write-Error "Error adding user to local administrators group: $_"
    }
    return
}

`

Any suggestions would help. Thanks!

Since I was getting errors for the Administrators group being null I went ahead and added a check for the group making sure it wasn't null and it still returned the same result. I also verified the user creation went through and that the groups were created as well.

Solution

  • Use the Get-LocalGroupMember and Add-LocalGroupMember cmdlets, an example would be

    try {
    # Check if the account exists
    $username = "chappie"
    $user = Get-LocalUser -Name $username -ErrorAction SilentlyContinue
    # If not, create an account
    if (!$user) {
        $user = New-LocalUser -Name $username -NoPassword -FullName "Chappie User" -Description "Chappie user account"
    }
    # Check if an account is part of local admins
    $adminGroup = Get-LocalGroupMember "Administrators"
    # If not, add to the local admins group
    if (!($adminGroup.SID.Value -contains $user.SID)) {
        Add-LocalGroupMember -Member $user -Group 'Administrators'
    }
}
catch {
    Write-Host '$_ is' $_
}