Re: Use the "Managed By" field in AD to set as local Admin
- From: ErikW <ErikW@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 13 May 2009 01:34:06 -0700
Thank you. I'm not that into scripting these things but I will take a look
and see what I can do. I think the way must be in the logon script. "If a
script using ADO to handle this for all computers in bulk interests you,
reply for more" This is very interesting.
Erik
"Richard Mueller [MVP]" wrote:
.
"ErikW" <ErikW@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:60EBE0F1-CF02-4C99-8091-7F49D10615B3@xxxxxxxxxxxxxxxx
Hi,
How can i use the "managed by" field in AD to set the user entered there
as
local admin on the xp client. We are currently doing it now on our "old"
Domain but no one knows how it was done. Appreciate any help on this
issue.
Assuming you mean computer objects, I guess you could code a script to read
the managedBy attribute, then add that user to the local Administrators
group (assuming you want that user to be admin on only that computer). For
one computer a VBScript program that runs on the computer could be similar
to (not tested):
=======
Option Explicit
Dim objSysInfo, strComputerDN, objComputer, strManagerDN, objAdmGroup
Dim objNetwork, strComputer, objManager
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
Set objSysInfo = CreateObject("ADSystemInfo")
strComputerDN = objSysInfo.ComputerName
Set objComputer = GetObject("LDAP://"; & strComputerDN)
strManagerDN = objComputer.managedBy & ""
If (strManagerDN <> "") Then
Set objManager = GetObject("LDAP://"; & strManagerDN)
Set objAdmGroup = GetObject("WinNT://" & strComputer &
"/Administrators,group")
If (objAdmGroup.IsMember(objManager.AdsPath) = False) Then
objAdmGroup.Add(objManager.AdsPath)
End If
End If
======
I suppose you could use ADO in a VBScript program to retrieve the DN of all
computer objects in the domain, then check that the user object referenced
by the managedBy attribute is a member of the local Administrators group on
each computer. This could be done once in bulk if all computers are
authenticated to the domain. Otherwise, a logon or startup script would be
alternatives, although you then have no control over when the update
happens, you should code the script to run once, and most users would lack
permissions to add members to the local Administrators group. It would be
best to do this yourself remotely as a member of Domain Admins.
If a script using ADO to handle this for all computers in bulk interests
you, reply for more. Or, figure it out yourself using the information at
this link:
http://www.rlmueller.net/ADOSearchTips.htm
The ADO query would retrieve the values of the distinguishedName,
sAMAccountName, and managedBy attributes of all computers where managedBy is
not missing. Then for each row in the resulting recordset, the script would
bind to the local Administrators group on the computer, similar to above.
The value of the sAMAccountName attribute of computer objects is the NetBIOS
name of the computer with a trailing "$" appended to the end. You would
strip off the trailing "$" to get the NetBIOS name (strComputer in the code
snippet above).
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
- Follow-Ups:
- Re: Use the "Managed By" field in AD to set as local Admin
- From: Richard Mueller [MVP]
- Re: Use the "Managed By" field in AD to set as local Admin
- References:
- Use the "Managed By" field in AD to set as local Admin
- From: ErikW
- Re: Use the "Managed By" field in AD to set as local Admin
- From: Richard Mueller [MVP]
- Use the "Managed By" field in AD to set as local Admin
- Prev by Date: Re: man profile with Xp & vista
- Next by Date: Re: Install of ADAMsync file always fails
- Previous by thread: Re: Use the "Managed By" field in AD to set as local Admin
- Next by thread: Re: Use the "Managed By" field in AD to set as local Admin
- Index(es):
Relevant Pages
|
Loading
