Posted on by Jon Anderson

Modify Local Administrators Membership

I encountered a scenario where I needed to add or remove domain users from the local administrators group on an individual computer basis. The Run Script feature in Configuration Manager worked great for this.

I used an Add script and a Remove script. Both scripts have a $Member parameter that takes the name of a domain user or group and adds it to or removes it from the local administrator group on selected computers.

Add users or groups to local administrators.

#Create the Member parameter
param([String]$Member)

#Add the member to the local administrators group
Add-LocalGroupMember -Group "Administrators" -Member $Member

#Check if the member was added successfully
if (Get-LocalGroupMember -Group "Administrators" | Where-Object Name -Like "*$Member" -ErrorAction SilentlyContinue) {
    Write-Host "Successfully added $Member to the local Administrators group."
}
else {
    Write-Host "Failed to add $Member to the local Administrators group."
}

Remove users or groups from local administrators

#Create the Member parameter
param([String]$Member)

#Remove the member from the local administrators group
Remove-LocalGroupMember -Group "Administrators" -Member $Member

#Check if the member was removed successfully
if (Get-LocalGroupMember -Group "Administrators" | Where-Object Name -Like "*$Member" -ErrorAction SilentlyContinue) {
    Write-Host "Failed to remove $Member from the local Administrators group."
}
else {
    Write-Host "Successfully removed $Member from the local Administrators group."
}