I needed the ability to have a powershell script execute specific ways for specific versions of windows, so after some googling, I hodge podged this. Essentially you will run this script first, as a cmd, or batch file:
@echo off
setlocal
for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j
REM Windows 10 is called be low this
if "%version%" == "10.0" powershell "C:\LocalAdminPolicyUpdate\LocalAdminPolicyUpdate.ps1"
REM Windows 8.1
if "%version%" == "6.3" powershell "C:\LocalAdminPolicyUpdate\LocalAdminPolicyUpdate.ps1"
REM Windows 8
if "%version%" == "6.2" powershell "C:\LocalAdminPolicyUpdate\LocalAdminPolicyUpdate.ps1"
REM Windows Vista
if "%version%" == "6.0" echo Windows Vista.
REM Windows 7
if "%version%" == "6.1" powershell "Set-ExecutionPolicy Unrestricted" && powershell C:\LocalAdminPolicyUpdate\LocalAdminPolicyUpdate.ps1
endlocal
and then this script, labeled LocalAdminPolicyUpdate.ps1 reload the script if it is not running as an admin. This section works for Windows 8+, and does not flag/error on Windows 7, which is why I needed the previous script to kick off ‘what version’ is the OS to run it elevated. I also am running these on PC’s WITHOUT UAC. If you have UAC, the user will get prompted to hit YES on the UAC popup.
The next bit finds all users in the local administrator group, and removes specific users with the $Group.Remove section, and then adds with the $Group.Add. I also added some debugging stuff to see what echo’d out to show me if it exists and it is truely seeing each user.
# Adds local uesr to local administrators account and removing software loaders
# revision 1
# created 2016-04-26
# Run this if you need to be running as ADMINISTARTOR
If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
{
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}
####################################################
$members = net localgroup administrators | where {$_ -AND $_ -notmatch "command completed successfully"} | select -skip 4
#write-output $members
$Computer = $env:COMPUTERNAME
$GroupName = 'Administrators'
$User = $env:USERNAME
$ADSI = [ADSI]("WinNT://$Computer")
$Group = $ADSI.Children.Find($GroupName, 'group')
if ($members -notcontains "E500NT\$env:USERNAME") {
$Group.Add(("WinNT://e500nt/$user"))
}
if ($members -contains "E500NT\Software Loaders") {
$Group.Remove(("WinNT://e500nt/Software Loaders"))
}
if ($members -notcontains "E500NT\ISTechGroup") {
$Group.Add(("WinNT://e500nt/ISTechGroup"))
}
if ($members -notcontains "E500NT\Domain Admins") {
$Group.Add(("WinNT://e500nt/Domain Admins"))
}
#if ($members -contains "E500NT\$env:USERNAME") { echo 1}
#if ($members -contains "E500NT\ISTechGroup") { echo 2}
#if ($members -contains "E500NT\Domain Admins") { echo 3}
#if ($members -notcontains "E500NT\Software Loaders") { echo 4}