Re: Changing the local admin password base on the computer's OU
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 25 Feb 2009 08:29:51 -0600
"Myrddin" <MyrddinMT@xxxxxxxxx> wrote in message
news:58d2752d-39a5-47cf-b9cd-8878be894b3f@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello, I've been banging my head against the wall on this issue, hope
somone can help me out.
I have computers spread on several physical sites across the globe,
with a different OU for each site. I need to be able to change the
local admin password on each computer, depending on which OU it is a
part of.
The intent is to put thsi script in a GPO that runs everytime the
computer starts up, allowing us to cahnge local admin passwords pretty
easily.
Our AD is setup so that we have an OU for each site, then an OU for
computers in that site, then different OU's based on the department
the computer is part of (eg Real time 3D, Modeling, etc.)
This is what I've tried :
On Error Resume Next
' //////////////////////////////////////////////////////////////
' ///////////////////////// VARIABLES //////////////////////////
' //////////////////////////////////////////////////////////////
Dim WshNetwork, Sh, fso, WSHShell
Set WshNetwork = WScript.CreateObject("WScript.Network")
Set Sh = WScript.CreateObject("WScript.Shell")
Set fso = WScript.CreateObject("Scripting.FileSystemObject")
ComputerName = WshNetwork.ComputerName
Set oGroup_TEST1 = GetObject("LDAP://CN="; & ComputerName &
",OU=TEST1,OU=Computers,OU=Modeling,DC=<domain>,DC=xx")
Set oGroup_TEST2 = GetObject("LDAP://CN="; & ComputerName &
",OU=TEST2,OU=Computers,OU=3D,DC=<domain>,DC=xx")
'Change the local admin pwd for OU TEST1
If oGroup_TEST1.IsMember("WinNT://<domain>/" & ComputerName) =
true Then
Set Shell = Wscript.CreateObject ("Wscript.Shell" )
strComputer = Shell.ExpandEnvironmentStrings ("%COMPUTERNAME
%" )
Set objUser = GetObject("WinNT://" & strComputer & "/
Administrator, user" )
objUser.SetPassword "TEST1"
objUser.SetInfo
End If
'Change the local admin pwd for OU TEST2
If oGroup_TEST2.IsMember("WinNT://<domain>/" & ComputerName) =
true Then
Set Shell = Wscript.CreateObject ("Wscript.Shell" )
strComputer = Shell.ExpandEnvironmentStrings ("%COMPUTERNAME
%" )
Set objUser = GetObject("WinNT://" & strComputer & "/
Administrator, user" )
objUser.SetPassword "TEST2"
objUser.SetInfo
End If
This doesn't seem to work though : no matter how many IF conditions I
set, the last one is always applied. i added a simple Echo telling me
which password was set and I could see that the password was actually
first changed to TEST1, then to TEST2 : it's as if the IF conditions
don't matter at all.
I'm not sure if the problem lies within my IF conditions or from the
GetObject, but I'm totally lost here.
i had a previous version of this script that instead made a check on
the computer's IP address to check with subnet it was part of
(different subnets for different sites) but we've decided to change
that in favor of an OU membership check.
Any help would be massively appreciated.
My Recommendations:
1. Do not use "On Error Resume Next". It makes troubleshooting nearly
impossible. I suspect your If (and End If) statements are ignored and the
code within each is running.
2. Your script appears to check for group membership. This will work if you
have one group for each OU, but it requires you to be sure that all
computers in the OU are members of the group. That seems more work than
necessary, and subject to error.
3. When you seem to bind to the groups, you are actually binding to the
computer objects, not a group. I would expect errors, but you don't see them
because of "On Error Resume Next". I suspect you do not have the required
groups.
4. When you check group membership you pass a WinNT provider ADsPath to an
object bound with the LDAP provider. That cannot work. I think all of these
If statements are being skipped.
5. The only reliable way to check which OU an object is in is to bind to the
object and use the Parent method to retrieve the ADsPath of the parent
OU/Container. Then you can compare the Distinguished Name of the Parent
object with the full Distinguished Name of the OU. Most any other method can
fail in certain conditions.
6. I see no reason to retrieve the value of the environment variable
%COMPUTERNAME%. This is the NetBIOS name of the computer, but so is
wshNetwork.ComputerName. When you bind to the group/computer objects you
assume that the common name of the computer is the same as the NetBIOS name.
This does not have to be, but probably is.
7. Finally, computer passwords can be changed in a Startup script, but there
are two potential downsides. First, it will run repeatedly. Second, you
never know when the password has been changed. I prefer changing computer
passwords remotely myself from my computer. This requires a bit more code,
and requires the computers to be running, but it can be coded so you can run
it repeatedly only on the computers that have not yet gotten the change
applied.
I'll post suggested code shortly, when I get a chance.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
.
- Follow-Ups:
- Re: Changing the local admin password base on the computer's OU
- From: Richard Mueller [MVP]
- Re: Changing the local admin password base on the computer's OU
- References:
- Prev by Date: Re: Highlighting cell based on condition
- Next by Date: Re: Highlighting cell based on condition
- Previous by thread: Re: Changing the local admin password base on the computer's OU
- Next by thread: Re: Changing the local admin password base on the computer's OU
- Index(es):
Relevant Pages
|
