Check if group is member of local administrator group if not write remediation script to add them RRS feed

  • Question

  • I'm working to create a CI in SCCM to discover if a group is a member of the local administrators group. Then add a remediation script to the CI to add the user to the local administrators group.  I believe my issue is the script portion.  Am I going in the right direction?

    Discovery Script




    $members|foreach{$_.GetType().InvokeMember("Name",'GetProperty',$null,$_,$null)}) -contains"GROUPNAME"









    Remediation Script


    • Moved by Bill_Stewart Wednesday, September 13, 2017 10:04 PM This is not system center forum
    Thursday, August 10, 2017 8:03 PM

All replies

  • Please don't post colorized scripts.  Use the code posting tool.  Colorized code is untradeable and cannot usually be copied correctly.


    • Proposed as answer by DC082961 Tuesday, December 26, 2017 3:51 PM
    Thursday, August 10, 2017 8:13 PM
  • You could use something like this:

    $group = Get-WmiObject Win32_Group -Filter "SID='S-1-5-32-544'"
    $admin = @()
    Get-WmiObject Win32_GroupUser|? {$_.groupcomponent -like '*"'+$group.name+'"'}|Select-Object -ExpandProperty partcomponent|ForEach-Object{
        $_ -match ".+Domain\=(.+)\,Name\=(.+)$"|Out-Null
        $admin += (($matches[1].trim('"') + “\” + $matches[2].trim('"')))
    if($admin -notcontains 'Domain\UserOrGroup'){
        net localgroup $group.Name Domain\UserOrGroup /add

    Best regards,
    Pavel Volkov
    MCP, MS: Configuring Windows Devices, Hyper-V and SCVMM
    MCSA: Windows 10/Server 2012/Server 2016/SQL 2016 Database Development
    MCSE: Mobility, Cloud Platform and Infrastructure

    Please remember to mark the replies as answers if they help...

    Thursday, August 10, 2017 8:46 PM