Ask Your Question

How can I add a domain user to the local Administrators group?

asked 2013-05-21 12:02:24 -0500

kidrock gravatar image

updated 2013-05-30 16:28:56 -0500

llowder gravatar image

I need to manage the local administrators of a large number of Win2k8 servers. Basically just need to be able to write a manifest to make sure certain domain users are/aren't part of the Administrators group. Using syntax like this, it says the user is added, but he/she is not showing up in the Administrators group.

user { 'first.last':
  ensure     => present,
  gid        => 'Administrators',
  home       => 'C:/users/first.last',
  managehome => true,
  password   => 'SomePassWord',
edit retag flag offensive close merge delete


I am not sure if Puppet for Windows has this implemented already. But I think you can get around with some Powershell script

louis gravatar imagelouis ( 2013-05-27 15:26:36 -0500 )edit

The "Writing Manifests for Windows" doc says this: "Puppet does not support managing domain user accounts, but can add (and remove) domain user accounts to local groups." I am trying ...(more)

kidrock gravatar imagekidrock ( 2013-05-31 07:46:37 -0500 )edit

3 Answers

Sort by ยป oldest newest most voted

answered 2013-06-03 17:23:18 -0500

joshc gravatar image

updated 2013-10-21 23:15:52 -0500

This is bug

Update October 21, 2013 - We have fixed this issue in the master branch which will be released in 3.4.0. I encourage people to try it out and give us feedback. If you feel comfortable running from source, you can do the following:

C:\>git clone
C:\>cd puppet
C:\puppet>gem install bundler
C:\puppet>bundle install
C:\puppet>bundle exec puppet resource group Administrators ensure=present members=<domain\user>
edit flag offensive delete link more


I just got around to trying this, and it works great. Here is the syntax I'm using to mange the Administrators group membership:

group { 'Administrators':
  ensure   => present,
  members  => [ 'Administrator ...
kidrock gravatar imagekidrock ( 2014-03-13 15:09:20 -0500 )edit

This removes existing users from the local administrators group (even with attribute_membership => minimum; ). Can we set local admins without removing existing ?

helenp gravatar imagehelenp ( 2014-08-12 04:55:55 -0500 )edit
Iristyle gravatar imageIristyle ( 2015-09-02 22:07:55 -0500 )edit

answered 2013-06-18 12:25:27 -0500

Not a good sign that there hasn't been any activity on that issue for 4 months, time to learn Ruby I guess. For now I've just set up a module to run a batch file with a bunch of 'net localgroup' lines:

net localgroup administrators domain\user /add

and an init.pp:

class admin {
  $exe_name = "add_admin_users.bat"
  $location = "puppet:///modules/${module_name}/${exe_name}"
  $on_disk = 'C:\add_admin_users.bat'

  file { $on_disk:
    ensure => file,
    source => $location,
    mode   => '750',

  exec { $on_disk:
    subscribe => File[$on_disk],
    refreshonly => true


Not quite ideal, since it doesn't check to see the current status of the group, but ... (more)

edit flag offensive delete link more

answered 2013-08-16 00:31:20 -0500

you could use an unless to check to see if it should be run (status) I might do it in powershell using the powershell provider and leverage the code here

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2013-05-21 12:02:24 -0500

Seen: 3,388 times

Last updated: Oct 21 '13