Re: Add Domain Users group to local Power Users group

dennis wrote:

I've absolutely no idea about scripting and have been searching the net
for scripts that add domain users / groups to local groups but haven't
found anything that works yet.

What I'm after is one that can dynamically assign the %computername%
variable inside the script so that the script works on all computers.

Additionally most of the scripts I've found add a domain user rather
than a group.

In VBScript you must use the WinNT provider to deal with local groups. You
would bind to the local group object and invoke the Add method of the group
object. You pass the AdsPath of the new member to the method. You can
retrieve the NetBIOS name of the current computer from the wshNetwork
object. For example, a VBScript program to be run on the computer could be:
===============
Option Explicit

Dim strComputer, objNetwork

' Retrieve NetBIOS name of computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

' Bind to the domain group with the WinNT provider.
Set objDomainGrp = GetObject("WinNT://MyDomain/TestGroup,group")

' Bind to the local group with the WinNT provider.
Set objLocalGrp = GetObject("WinNT://" & strComputer & "/LocalGroup,group")

' Check if already a member.
If Not objLocalGrp.IsMember(objDomainGrp.AdsPath) Then
' Add the domain group to the local group.
objLocalGrp.Add(objDomainGrp.AdsPath)
End If
==============
A few notes. If this is run by a user during logon, they may not have
sufficient permissions. However, it could be run by as a Startup Script.
Startup scripts run with System privileges on the local computer and the
credentials of the computer account in the domain. Also, you may be able to
run such a script yourself remotely, if you have permissions. By default,
the group "Domain Admins" is made a member of the local Administrators group
when the computer is joined to the domain. If you are a member of "Domain
Admins", you should be able to run the script remotely. You could even
design a script to loop through several (or all) computers to makes sure the
domain group is a member of the local group. Finally, you can also use
Restricted Groups in Group Policy to enforce local group membership.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net


.

Relevant Pages

  • Re: Error using LDAP query
    ... If your clients are XP, they have the ADSystemInfo object, so don't worry ... Most likely all of your users have "Domain Users" as their ... member of at least 2 other groups, ... Your script runs without error for me when I am logged into a ...
    (microsoft.public.windows.server.scripting)
  • Re: login problem
    ... One group other than "Domain Users" is not enough to prevent the error. ... the direct member of at least two groups, ... Often a script is flawed and no one even knows for a long time. ... For Each strGroup in objUser.MemberOf ...
    (microsoft.public.scripting.vbscript)
  • Re: AD users and groups
    ... What we are talking about here is dynamical groups such Domain Users. ... it will be re-added again by the script. ... > this special group, however, eventually many users are removed from this ... this means make the domain users group an member of your ...
    (microsoft.public.win2000.active_directory)
  • Re: rename a local group in windows 2003
    ... If the script always runs on the computer where the local group is to be ... strComputer = objNetwork.ComputernName ... WinNT provider only rename domain groups, ...
    (microsoft.public.windows.server.scripting)
  • Re: export users from a local group with domain membership
    ... >>domain users) and export them to ldf or whatever, ... >>The idea is I'm in the process of rebuilding a server, ... So I want a script where I could do a quick ... How can I generate a CSV file of all local group membership? ...
    (microsoft.public.scripting.vbscript)
Loading