Re: Add Domain Users group to local Power Users group
- From: "Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 13 Nov 2006 10:47:34 -0600
"Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:eca8KK0BHHA.4948@xxxxxxxxxxxxxxxxxxxxxxx
dennis wrote:
I've absolutely no idea about scripting and have been searching the net
for scripts that add domain users / groups to local groups but haven't
found anything that works yet.
What I'm after is one that can dynamically assign the %computername%
variable inside the script so that the script works on all computers.
Additionally most of the scripts I've found add a domain user rather
than a group.
In VBScript you must use the WinNT provider to deal with local groups. You
would bind to the local group object and invoke the Add method of the
group object. You pass the AdsPath of the new member to the method. You
can retrieve the NetBIOS name of the current computer from the wshNetwork
object. For example, a VBScript program to be run on the computer could
be:
===============
Option Explicit
Dim strComputer, objNetwork
' Retrieve NetBIOS name of computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
' Bind to the domain group with the WinNT provider.
Set objDomainGrp = GetObject("WinNT://MyDomain/TestGroup,group")
' Bind to the local group with the WinNT provider.
Set objLocalGrp = GetObject("WinNT://" & strComputer &
"/LocalGroup,group")
' Check if already a member.
If Not objLocalGrp.IsMember(objDomainGrp.AdsPath) Then
' Add the domain group to the local group.
objLocalGrp.Add(objDomainGrp.AdsPath)
End If
==============
A few notes. If this is run by a user during logon, they may not have
sufficient permissions. However, it could be run by as a Startup Script.
Startup scripts run with System privileges on the local computer and the
credentials of the computer account in the domain. Also, you may be able
to run such a script yourself remotely, if you have permissions. By
default, the group "Domain Admins" is made a member of the local
Administrators group when the computer is joined to the domain. If you are
a member of "Domain Admins", you should be able to run the script
remotely. You could even design a script to loop through several (or all)
computers to makes sure the domain group is a member of the local group.
Finally, you can also use Restricted Groups in Group Policy to enforce
local group membership.
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
Also, for completeness, you can do this in a batch file that runs on the
computer. I believe the command would be:
net localgroup "LocalGroup" "MyDomain\TestGroup" /add
Again, most users would probably not have permissions to do this.
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
.
- References:
- Add Domain Users group to local Power Users group
- From: dennis
- Re: Add Domain Users group to local Power Users group
- From: Richard Mueller
- Add Domain Users group to local Power Users group
- Prev by Date: Re: Add Domain Users group to local Power Users group
- Next by Date: Re: ASP Error only in Internet Explorer
- Previous by thread: Re: Add Domain Users group to local Power Users group
- Next by thread: challenge! - vbscript version of the javascript in the address bar trick
- Index(es):
Relevant Pages
|
