Add SID to local group with WinNT group interface

We're in the midst of a divestiture, and we have a network set aside for testing end-user capability without access to the production environment, including Active Directory. One user moved a few machines into this test environment, expecting that his users would be able to use their cached domain credentials to do what they need to do. He discovered after the fact that he needed to add these users to the local Administrators group. The Computer Management tool won't do it, since it expects to be able to see the domain...and can't.

It turns out that you can use VBScript and the WinNT ADSI interface to do this, assuming you have the SIDs of the groups or users you want to add. Here's the basic script:

strComputer = "."
strGroup="Administrators"
'Replace the SID below with the SID you want to add
strSID = "S-1-5-21-123456789-876543210-345678901-3456"

Set objUser=GetObject("WinNT://" & strSID)
Set objGroup=GetObject("WinNT://" & strComputer & "/" & _
strGroup & "Users,group")

objGroup.Add objUser.ADsPath

Of course, you need to know the SID of the user you want to add. You can get from the local registry by looking through HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList. Or you can download User2SID (and SID2User) from here. Or (if you are adventurous) you can download source code from the author's site here.