After upgraded the SCCM server got upgrade to a new version, I found some computer upgrade failed after I used the client push installation. The log file showed the authentication error. A client push installation account must be specified that has administrative rights to the intended client computer. So the task is how to check and add the AD account used for client installation into the client computer local administrator group.
Microsoft.PowerShell.LocalAccounts module is powerful but it’s only available in PowerShell 5.1. There are still many computers running Windows server 2012 R2 and has no PowerShell 5.1 in my environment. So I can’t use this module. Below are the method work for me.
Add a Domain Group to the Local Administrators Group
$DomainGroup = "GroupName" $LocalGroup = "Administrators" $Computer = $env:computername $Domain = $env:userdomain ([ADSI]"WinNT://$Computer/$LocalGroup,group").psbase.Invoke("Add",([ADSI]"WinNT://$Domain/$DomainGroup").path)
Add a Domain User to the Local Administrators Group
$DomainUser = "SamAccountName" $LocalGroup = "Administrators" $Computer = $env:computername $Domain = $env:userdomain ([ADSI]"WinNT://$Computer/$LocalGroup,group").psbase.Invoke("Add",([ADSI]"WinNT://$Domain/$DomainUser").path)
To check clients in SCCM device collection group, I used the WMI search to get collections for the device.
$GroupId="P0100110"
$SCCMSRV="SCCMSRV1"$ColQuery = "select * from sms_cm_res_coll_"+$GroupId $CollectionMembers = gwmi -computername
$SCCMSRV -namespace root\sms\site_p01 -Query $colQuery |sort Name $SCCMSRV
Function to get local administrator group members
function get-localadmin { param ($strcomputer) $admins = Gwmi win32_groupuser –computer $strcomputer $admins = $admins |? {$_.groupcomponent –like '*"Administrators"'} $admins |% { $_.partcomponent –match “.+Domain=(.+)\,Name=(.+)$” > $nul $matches[1].trim('"') + “\” + $matches[2].trim('"') } }
Use foreach loop to check and add ad account into local administrator group.
$ADaccount="AD\SVC-SCCM"
foreach($Server in $collectionmembers) {
$Computer=$Server.Name
Write-Verbose -Message "Checking Server $Computer..." -Verbose
$i=$i+1
$LocalAdminMembers= get-localadmin $Computer
$Done=$FALSE
foreach($LocalAdminMember in $LocalAdminMembers) {
if ($LocalAdminMember -eq $ADaccount) {
$Done=$TURE
Write-Verbose -Message "AD\SVC-SCCM-CI already added" -Verbose
break
}
}
if ($Done -eq $FALSE) {
# Add $ADaccount to local admin group on remote server
Write-Verbose -Message "Adding $ADaccount ..."
([ADSI]"WinNT://$Computer/$LocalGroup,group").psbase.Invoke("Add",([ADSI]"WinNT://$Domain/$DomainUser").path)
# Check if added
$LocalAdminMembers= get-localadmin $Computer
$Done=$FALSE
foreach($LocalAdminMember in $LocalAdminMembers) {
if ($LocalAdminMember -eq $ADaccount) {
$Done=$TURE
Write-Verbose -Message "Sucessfully added." -Verbose
break
}
}
}
if ($Done -eq $TURE) {
$line = "$i,"+$Computer+",True"
}
else {
Write-Verbose -Message "Tried to add but could not find the account." -Verbose
}
}