Trying to make a group local admin, but access denied. Which right to set correctly

Hi Guys,

I want to add an Active directory group as local admin. I use the following code:

$groupAdmin="Administrators"

$groupRdp="Remote Desktop Users"

$pathAdmin = [ADSI]"WinNT://$hostName/$groupAdmin,group"

$pathAdmin.psbase.Invoke("Add",([ADSI]"WinNT://$Domain/$LocalAdmin").path)

The code works when i try to do this. But when my Vcenter service user does this it gives an acces dienied error.

Where do i have to set rights? At computer (server) level or at group level, get this error:

Exception calling "Invoke" with "2" argument(s): "Access is denied.
"
At D:\scripts\addcomputerad-vco3.ps1:110 char:2
+     $pathAdmin.psbase.Invoke("Add",([ADSI]"WinNT://$Domain/$LocalAdmin").path
)
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodTargetInvocation
 

Please don't come with domain admin rights, i need the best security practice.

Kind regards,

André