Re: Use the "Managed By" field in AD to set as local Admin
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 12 May 2009 18:20:48 -0500
"ErikW" <ErikW@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:60EBE0F1-CF02-4C99-8091-7F49D10615B3@xxxxxxxxxxxxxxxx
Hi,
How can i use the "managed by" field in AD to set the user entered there
as
local admin on the xp client. We are currently doing it now on our "old"
Domain but no one knows how it was done. Appreciate any help on this
issue.
Assuming you mean computer objects, I guess you could code a script to read
the managedBy attribute, then add that user to the local Administrators
group (assuming you want that user to be admin on only that computer). For
one computer a VBScript program that runs on the computer could be similar
to (not tested):
=======
Option Explicit
Dim objSysInfo, strComputerDN, objComputer, strManagerDN, objAdmGroup
Dim objNetwork, strComputer, objManager
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
Set objSysInfo = CreateObject("ADSystemInfo")
strComputerDN = objSysInfo.ComputerName
Set objComputer = GetObject("LDAP://"; & strComputerDN)
strManagerDN = objComputer.managedBy & ""
If (strManagerDN <> "") Then
Set objManager = GetObject("LDAP://"; & strManagerDN)
Set objAdmGroup = GetObject("WinNT://" & strComputer &
"/Administrators,group")
If (objAdmGroup.IsMember(objManager.AdsPath) = False) Then
objAdmGroup.Add(objManager.AdsPath)
End If
End If
======
I suppose you could use ADO in a VBScript program to retrieve the DN of all
computer objects in the domain, then check that the user object referenced
by the managedBy attribute is a member of the local Administrators group on
each computer. This could be done once in bulk if all computers are
authenticated to the domain. Otherwise, a logon or startup script would be
alternatives, although you then have no control over when the update
happens, you should code the script to run once, and most users would lack
permissions to add members to the local Administrators group. It would be
best to do this yourself remotely as a member of Domain Admins.
If a script using ADO to handle this for all computers in bulk interests
you, reply for more. Or, figure it out yourself using the information at
this link:
http://www.rlmueller.net/ADOSearchTips.htm
The ADO query would retrieve the values of the distinguishedName,
sAMAccountName, and managedBy attributes of all computers where managedBy is
not missing. Then for each row in the resulting recordset, the script would
bind to the local Administrators group on the computer, similar to above.
The value of the sAMAccountName attribute of computer objects is the NetBIOS
name of the computer with a trailing "$" appended to the end. You would
strip off the trailing "$" to get the NetBIOS name (strComputer in the code
snippet above).
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
.
- Follow-Ups:
- References:
- Prev by Date: Re: Naming AD Domain
- Next by Date: Re: MAXTOKEN SIZE
- Previous by thread: Use the "Managed By" field in AD to set as local Admin
- Next by thread: Re: Use the "Managed By" field in AD to set as local Admin
- Index(es):
Relevant Pages
|
Loading
