Re: I need to change the group membership using a logon script
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 12 Mar 2007 14:04:16 -0500
I am using a vbs script to run the " net time command" using an object
created from the Wscript.shell. Everytime I run the script I am getting a
group membership error stating that the user is not part of a group that
specific privileges to run the command. When researching the problem, I
found out that the user has to be apart of the domain administrator group
order to run the command. I dont want to make this user apart of the
admins group in order to run the script. I want to be able to find another
group with limited privleges in order to run the command. Is there also a
to change group membership using logon script where in the script the user
gets changed from one group and then back to the previous group once the
script is completed.
I believe users need to be members of the local Administrators group to run
net time. By default, when computers are joined to the domain, the group
"Domain Admins" is made a member of the local Administrators group on the
machine. That's why Domain Admins can run net time.
A better solution is make another domain group a member of the local
Administrators groups on the computers. This can be done with a GPO or with
restricted groups. Making your users a member of this new domain group will
make them members of Administrators on all computers, but not Domain Admins.
A startup script (configured in GPO) can add a domain group to the local
Administrators group. Have the script check membership (using the IsMember
method of the group object) before adding the domain group (with the Add
method of the group object). The WinNT provider must be used. Or check
documentation for Restricted Groups.
An even better solution would be to determine what permissions are needed on
the local computer, then creating as local group with these permissions.
Again you can make a domain group a member of this new local group. Maybe
someone else knows what permissions are required, of if this can be done.
Another question is why you want users to run net time. Are your clients not
synchronizing time at startup?
Finally, maybe your task could be done in a Startup script. These run with
System privileges on the local computer, before any user authenticates.
Configure a Startup script in Group Policy.
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net