![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\" "\\"Hey,")
\n \n
Hey, Scripting Guy! How can I add a domain user to the local Administrators group in a computer? Hey, MB. One reason we started doing this column was because we wanted to know more about what system administrators do (and script) on a regular basis. As it is, sitting here in our luxurious penthouse suites atop the Microsoft campus, we\u2019re not always fully in tune with the way things are done in the real world. For example, in the Script Center we have a sample script that shows you how to add a user to the local Administrators account:<\/P> So what\u2019s wrong with this script? Nothing, except that this might not be the most practical example ever devised. After all, this script shows you how to add another local user to the Administrators group. That\u2019s OK, but what most of you really<\/I> want to know (as we can tell by the number of emails we\u2019ve received to this effect) is how to add a domain<\/I> user to the local Administrators group. Message received, loud and clear: Let\u2019s show you how to add a domain user to the local Administrators group.<\/P>\n Incidentally, the script to do this is almost identical to the script for adding a local user to the Administrators group. The only difference, as we\u2019ll see in a moment, occurs in line 3. In the preceding script, we bind to a local user account on a computer using this line of code:<\/P> We then pass the ADsPath of that user account to the Add method, which adds the user to the group:<\/P> We want to do the same thing with our new script, only we don\u2019t want to bind to a local user account, we want to bind to a domain user account. And so that\u2019s what we\u2019re going to do, substituting in a new line 3:<\/P> Here we\u2019re using the WinNT provider to bind to the fabrikam domain; more specifically, we\u2019re using the WinNT provider to bind to the kenmyer user account in the fabrikam domain. Ah, we see some of you are upset by this. \u201cWhy are they using the WinNT provider?\u201d you\u2019re muttering. \u201cAren\u2019t they supposed to use the LDAP provider when binding to Active Directory?\u201d<\/P>\n The answer to that question is yes, most of the time<\/I>. However, suppose we used the LDAP provider to retrieve the ADsPath for kenmyer, using code like this:<\/P> That looks<\/I> OK, except we get back an ADsPath that looks like this:<\/P> That\u2019s OK, too \u2026 at least until you try passing that value to the local computer. Remember, the Security Account Manager on the local computer speaks WinNT, it doesn\u2019t speak LDAP. If you try passing an LDAP path to the local computer it just won\u2019t work.<\/P>\n Instead, we need to pass an ADsPath that looks like this:<\/P> And guess what? If we bind to the fabrikam domain using the WinNT provider, that\u2019s exactly the kind of ADsPath we\u2019ll get back. If you\u2019re working strictly with Active Directory then you should use the LDAP provider. But if you\u2019re going to grab an account out of Active Directory and use that account in a local computer group you\u2019ll have to use the WinNT provider.<\/P>\n We know: all this talk of providers and ADsPaths and what-not is making your head spin. But don\u2019t fret too much about that. Instead, just use this script to add a domain user (a user named kenmyer, in the fabrikam domain) to the local Administrators group on the computer atl-ws-01:<\/P> And keep those cards and letters coming in!<\/P>
— MB<\/P>![\"Spacer\"](\"https:\/\/devblogs.microsoft.com\/scripting\/wp-content\/uploads\/sites\/29\/2019\/05\/spacer.gif\")
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\" "\\"Hey,")
![\"Script](\"http:\/\/img.microsoft.com\/library\/media\/1033\/technet\/images\/scriptcenter\/ad.jpg\" "\\"Script")
<\/A> \nstrComputer = “atl-ws-01”\nSet objGroup = GetObject(“WinNT:\/\/” & strComputer & “\/Administrators”)\nSet objUser = GetObject(“WinNT:\/\/” & strComputer & “\/kenmyer”)\nobjGroup.Add(objUser.ADsPath)\n<\/PRE>\n
Set objUser = GetObject(“WinNT:\/\/” & strComputer & “\/kenmyer”)\n<\/PRE>\n
objGroup.Add(objUser.ADsPath)\n<\/PRE>\n
Set objUser = GetObject(“WinNT:\/\/fabrikam\/kenmyer”)\n<\/PRE>\n
Set objUser = GetObject(\u201cLDAP:\/\/CN=kenmyer,OU=Finance,dc=fabrikam,dc=com\u201d)\n<\/PRE>\n
LDAP:\/\/CN=kenmyer,OU=Finance,dc=fabrikam,dc=com\n<\/PRE>\n
WinNT:\/\/fabrikam\/kenmyer\n<\/PRE>\n
strComputer = “atl-ws-01”\nSet objGroup = GetObject(“WinNT:\/\/” & strComputer & “\/Administrators”)\nSet objUser = GetObject(“WinNT:\/\/fabrikam\/kenmyer”)\nobjGroup.Add(objUser.ADsPath)\n<\/PRE>\n
\n\n
![\"Top](\"http:\/\/www.microsoft.com\/technet\/mnplibrary\/templates\/MNP2.Common\/images\/arrow_px_up.gif\"){kind=icon}
<\/A>