Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Intelligent Automation - Add Active Directory User to Remote Computer Local Administrator Group


This document explains automation workflow development and logic using Cisco Cloud Process Orcehstrator product (CPO).

Use Case

In a Cloud deployment a Windows 2008 or Windows 2007 virtual machin is provisioned into the Cloud using a template. The Windows VM template comes with only administrative rights that would allow the IT Admin to have access to it as a back-door channel. Now the requirement is to allow access to the virtual machine for the user who actually requested the virtual machine.

This can be automated using the CPO Windows adapter.

Logical Flow

  • CPO logs into the Windows 2008 R2 AD server using its Windows adapter
  • Windows Power-Shell script can be execute either on the Windows AD Server or on the CPO server itself
  • Script will add user-name of the person who requested the virtuam machine into the local admin group of newly provisioned VM


  • Script execution must be enabled on the Windows AD server
  • CPO Windows target's run-time user should have proper rights to execute the commands included in the power-shell script. Typically that would be a services account
  • Newly provisioned VM must be part of the same active directory domain

Enable Script Execution on Windows 2008 R2 Active Directory (AD) Server


Set-ExecutionPolicy unrestricted

Cisco Cloud Process Orcehstrator Workflow

  • The target for this workflow is the CPO (TEO) server itself
  • Workflow takes two input from user
    • ComputerName
    • User-ID or User-Name
  • The user-name and ComputerName can also be passed from the Cisco Cloud Portal (newScale request center)
  • Powershell script then adds the user-id to the local administrator group on the newly provisioned VM

Following is the screenshot from workflow.


Script argumens are already saved in the visual basic style variable format and can be accessed using $arg[0], $arg[1] and so on.

$domain = ""

$strComputer = $args[0]

$username = $args[1]

$computer = [ADSI]("WinNT://" + $strComputer + ",computer")


$Group = $computer.psbase.children.find("administrators")


# Even though we are adding the AD account but we add it to local computer and so we will need to use WinNT: provider

$Group.Add("WinNT://" + $domain + "/" + $username)

Script Accesses Remote Resource Checkbox

Make sure to enable that option else you might receive following error when you execute the script.

Exception calling "Find" with "1" argument(s): "Access is denied."At C:\TEO_WorkingDir_a845d494-d6e8-4b8b-b23f-0a2615507410\TEO_PSScript_a845d494-d6e8-4b8b-b23f-0a2615507410.ps1:9 char:40+ $Group = $computer.psbase.children.find <<<< ("administrators")   + CategoryInfo         : NotSpecified: (:) [], MethodInvocationException   + FullyQualifiedErrorId : DotNetMethodException
Version history
Revision #:
1 of 1
Last update:
‎01-10-2012 04:40 PM
Updated by:
Labels (1)