1

Firstly I want to thank the community for all the help in a previous inquiry I had. Now I found the below code in this site that creates remotely a local user and adds it in the administrator group in pcs taken from a list. The problem is that when I run it and while it creates the user it gives me the error " error creating admin on: Exception calling add with 1 arguments. Type mismatch. (Exception from HRESULT:0x80020005)" . I tried putting the names of the pcs in the text file, in every possible way. Only pc name, full pc name (including domain), in capitals and not.

#Define variables
$computers = Get-Content C:\Computers.txt
#$computers = Import-CSV C:\Computers.txt | select Computer
$username = "Admin"
$password = "admin1"
$fullname = "Admin"
$local_security_group = "Administrators"
$description = "Description"

Foreach ($computer in $computers) {
    $users = $null
    $comp = [ADSI]"WinNT://$computer"

    #Check if username exists
    Try {
        $users = $comp.psbase.children | select -expand name
        if ($users -like $username) {
            Write-Host "$username already exists on $computer"

        } else {
            #Create the account
            $user = $comp.Create("User", "$username")
            $user.SetPassword("$password")
            $user.Put("Description", "$description")
            $user.Put("Fullname", "$fullname")
            $user.SetInfo()

            #Set password to never expire
            #And set user cannot change password
            $ADS_UF_DONT_EXPIRE_PASSWD = 0x10000
            $ADS_UF_PASSWD_CANT_CHANGE = 0x40
            $user.userflags = $ADS_UF_DONT_EXPIRE_PASSWD + $ADS_UF_PASSWD_CANT_CHANGE
            $user.SetInfo()

            #Add the account to the local admins group
            $group = ([ADSI]"WinNT://$computer/$local_security_group,group")
        $computerHostName = (Get-WmiObject -ComputerName $computer Win32_ComputerSystem).Name
        $group.Add([ADSI]"WinNT://$computerHostName/$username,user")

            #Validate whether user account has been created or not
            $users = $comp.psbase.children | select -expand name
            if ($users -like $username) {
                Write-Host "$username has been created on $computer"
            } else {
                Write-Host "$username has not been created on $computer"
            }
        }
    }

    Catch {
        Write-Host "Error creating $username on $($computer.path):  $($Error[0].Exception.Message)"
    }
}

Please help if you can, it will really save me alot of time if I make it work.

Improve this question
1
  • 2
    I would recommend using the built-in cmdlets for this instead of using ADSI. You can leverage this script: community.spiceworks.com/scripts/show/…, since it creates the accounts and adds it to the administrators group. Just gotta use the -Credential it seems like, kinda confusing but it gets you in the right direction. Commented Apr 13, 2022 at 21:02

1 Answer 1

Reset to default
2

You have a couple of errors in your code.

For this line, you have an extra comma and the word 'group'.

$group = ([ADSI]"WinNT://$computer/$local_security_group,group")

Change this to

$group = ([ADSI]"WinNT://$computer/$local_security_group")

And for the Add call just pass the path to the new user like this

$group.Add($user.Path)

With the suggested changes your code is

#Define variables
$computers = Import-CSV C:\Computers.txt | ForEach-Object Computer
$username = "Admin"
$password = "admin1"
$fullname = "Admin"
$local_security_group = "Administrators"
$description = "Description"

Foreach ($computer in $computers) {
    $users = $null
    $comp = [ADSI]"WinNT://$computer"

    #Check if username exists
    Try {
        $users = $comp.psbase.children | ForEach-Object Name
        if ($users -like $username) {
            Write-Host "$username already exists on $computer"

        } else {
            #Create the account
            $user = $comp.Create("User", "$username")
            $user.SetPassword("$password")
            $user.Put("Description", "$description")
            $user.Put("Fullname", "$fullname")
            $user.SetInfo()

            #Set password to never expire
            #And set user cannot change password
            $ADS_UF_DONT_EXPIRE_PASSWD = 0x10000
            $ADS_UF_PASSWD_CANT_CHANGE = 0x40
            $user.userflags = $ADS_UF_DONT_EXPIRE_PASSWD + $ADS_UF_PASSWD_CANT_CHANGE
            $user.SetInfo()

            #Add the account to the local admins group
            $group = ([ADSI]"WinNT://$computer/$local_security_group")
            $computerHostName = (Get-WmiObject -ComputerName $computer Win32_ComputerSystem).Name
            $group.Add($user.Path)

            #Validate whether user account has been created or not
            $users = $comp.psbase.children | ForEach-Object Name
            if ($users -like $username) {
                Write-Host "$username has been created on $computer"
            } else {
                Write-Host "$username has not been created on $computer"
            }
        }
    }

    Catch {
        Write-Host "Error creating $username on $($computer.path):  $($Error[0].Exception.Message)"
    }
}

Finally, I would definitely stick with the CSV, any extra whitespace in the lines won't cause issues like with Get-Content.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Nice, but note that the ,group suffix isn't extraneous: it is an object-type filter that serves to disambiguate, and can improve performance.
Thank you @Doug. I used your code which worked with a few tweaks and saved me. I kept the ,group suffix as @mklement0 said for performance reasons. For the rest when i was trying to run it with the csv it was giving me an unknown error 0x80005000 so I kept on using the GET which did the trick. Anyway thanks to you and this wonderful community!!!
Thank you @mklement0. Is the syntax correct? I got an error when running it but I did find the same suggestion on multiple sites. Hmm
@Doug, I don't know anything about the history of this feature, but does something like [adsi] "WinNT://./Administrators,group" result in an error for you? It works on my W10 21H2 machine.
I found the reference for this syntax, which indeed supports optional object-class suffixes such as ,group: such paths are called ADsPaths, and their format is described here.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.