Re: Use the "Managed By" field in AD to set as local Admin


"ErikW" <ErikW@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5B1EEE64-02BF-4ABE-B709-2B72D0058831@xxxxxxxxxxxxxxxx
Thank you. I'm not that into scripting these things but I will take a look
and see what I can do. I think the way must be in the logon script. "If a
script using ADO to handle this for all computers in bulk interests you,
reply for more" This is very interesting.

Erik


A program as I described earlier is below. I added error trapping in case a
computer is not available (and the script cannot bind to the local
Administrators group) so the program echos a message to the command line
console. The program should be run at a command prompt using cscript. Since
the program does nothing if the user is already a member of the local
Administrators group, you can run it repeatedly until there is no message
about unavailable computers. Of course whomever runs the script needs
sufficient privileges to add members to the group. By default, the group
"Domain Admins" should be a member of the local Administrators group on
every computer joined to the domain. Any member of "Domain Admins" has
permissions. I would expect most users would not have permissions, so a
logon script would fail. If normal users had permission to manage the local
Administrators group in a logon script, there would be no need for the
script.
=========
' VBScript program to make sure the user referred to by the
' managedBy attribute of every computer in the domain is a
' member of the local Administrators group.
Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset
Dim strComputerDN, strComputer, strManagerDN
Dim objAdmGroup, objManager

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://"; & strDNSDomain & ">"

' Filter on all computer objects with managedBy assigned.
strFilter = "(&(objectCategory=computer)(managedBy=*))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sAMAccountName,managedBy"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values
strComputerDN = adoRecordset.Fields("distinguishedName").Value
strComputer = adoRecordset.Fields("sAMAccountName").Value
strManagerDN = adoRecordset.Fields("managedBy").value
' Remove trialing "$" character to get NetBIOS name
strComputer = Left(strComputer, Len(strComputer) - 1)
' Bind to user object referred to by managedBy.
Set objManager = GetObject("LDAP://"; & strManagerDN)
' Bind to local Administrators group on computer.
' Trap the error if the computer is not available.
On Error Resume Next
Set objAdmGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")
If (Err.Number = 0) Then
On Error GoTo 0
' Make sure user is a member of this group.
If (objAdmGroup.IsMember(objManager.AdsPath) = False) Then
objAdmGroup.Add(objManager.AdsPath)
End If
Else
On Error GoTo 0
Wscript.Echo "Unable to bind to Administrators group on " _
& strComputer
End If
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


.

Relevant Pages

  • Re: How to make a AD group member of the local administrators grou
    ... Can I use your script and replace the user ingo with the group info or do I ... Clemens de Brouwer ... that group to the local Administrators group. ... ' Check if user already a member. ...
    (microsoft.public.windows.server.scripting)
  • Re: Use the "Managed By" field in AD to set as local Admin
    ... I think the way must be in the logon script. ... Administrators group, you can run it repeatedly until there is no message ... "Domain Admins" should be a member of the local Administrators group on ... Dim strComputerDN, strComputer, strManagerDN ...
    (microsoft.public.windows.server.active_directory)
  • Wired error of get-credential for non-privilege user
    ... If login as a member of Administrators group, ... Second time you run script: ...
    (microsoft.public.windows.server.scripting)
  • Re: Add domain group to local group question
    ... Running the script remotely will not work for 2 reasons. ... alternate credentials. ... ' Bind to the local Administrators group with alternate credentials. ... ' Check if already a member. ...
    (microsoft.public.scripting.vbscript)
  • Re: I need to change the group membership using a logon script
    ... admins group in order to run the script. ... I believe users need to be members of the local Administrators group to run ... "Domain Admins" is made a member of the local Administrators group on the ... Administrators groups on the computers. ...
    (microsoft.public.scripting.vbscript)