Re: Add domain user to local group script troubleshoot

From: Richard Mueller [MVP] (rlmueller-NOSPAM_at_ameritech.NOSPAM.net)
Date: 03/25/04

Next message: Enyalius: "Odd error mapping network drives using VBscripting"

Previous message: Rick Kalifa: "Re: Add domain user to local group script troubleshoot"
In reply to: Rick Kalifa: "Re: Add domain user to local group script troubleshoot"
Next in thread: mtothej: "Re: Add domain user to local group script troubleshoot"
Messages sorted by: [ date ] [ thread ]

Date: Thu, 25 Mar 2004 14:54:11 -0600

Hi,

The most reliable way to retrieve computer names in an Active Directory
domain is to use ADO to retrieve the sAMAccountName attribute (the NetBIOS
name) of all computer objects. When the recordset is enumerated, instead of
writting the names to a text file, you can connect to each and modify
(assuming you are member of Domain Admins, which should have administrator
rights on the local machines). One caution. The list will include servers,
DC's, and perhaps inactive machines. Also, some computers could be powered
off. Also, if you anticipate doing this often, it might be easier to make a
domain global group a member of each computers local Administrators group.
Then, you can modify the domain group's membership at any time without
touching the machines, effectively adding or removing users with local admin
rights.

A VBScript to echo the NetBIOS names of all computers in the domain follows.
The output can be redirected to a text file:

Option Explicit

Dim objRootDSE, strDNSDomain, objCommand, objConnection
Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
Dim strComputer

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
strBase = "<LDAP://" & strDNSDomain & ">"

strFilter = "(objectCategory=computer)"
strAttributes = "sAMAccountName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF
  strComputer = objRecordSet.Fields("sAMAccountName")
  ' Strip off trailing "$".
  strComputer = Left(strComputer, Len(strComputer) - 1)
  Wscript.Echo strComputer
  objRecordSet.MoveNext
Loop

' Clean up.
objConnection.Close
Set objRootDSE = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRecordSet = Nothing

To modify this so it added a Domain group to the Administrators group on
each computer, you could replace the final Do Until Loop with code similar
to:

' Declare new variables.
Dim objLocalGroup, objDomainGroup

' Bind to domain global group to be added to each computer' local
' Administrators group.
Set objDomainGroup = GetObject("WinNT://MyDomain/ComputerAdmins,group")

Do Until objRecordSet.EOF
  strComputer = objRecordSet.Fields("sAMAccountName")
  ' Strip off trailing "$".
  strComputer = Left(strComputer, Len(strComputer) - 1)
  ' Bind to local Administrators group.
  On Error Resume Next
  Set objLocalGroup = GetObject("WinNT://" & strComputer _
    & "/Administrators,group")
  If Err.Number = 0 Then
    ' Add the domain group to the local group.
    objLocalGroup.Add(objDomainGroup.AdsPath)
    If Err.Number <> 0 Then
      On Error GoTo 0
      Wscript.Echo "Unable to modify Administrator group on " & strComputer
    Else
      On Error GoTo 0
      Wscript.Echo "Modified Administrator group on " & strComputer
    End If
  Else
    On Error GoTo 0
    Wscript.Echo "Cannot connect to " & strComputer
  End If
  objRecordSet.MoveNext
Loop

-- 
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
"Rick Kalifa" <rkalifa@hotmail.com.NO_SPAM> wrote in message
news:O4K5tMqEEHA.580@TK2MSFTNGP11.phx.gbl...
> This script works great!!
>
> What I would like to with this is get a list of all the workstations, so I
> can add the group I need to the local administrators.
>
> In the past, I've exported a list, and ran a job against the list of
> computers. However, I'd like to take it one step further and have the
script
> find the workstations dynamically and then apply the changes I need on
that
> workstation.
>
> Any input here would be appreciated.
>
> RK.
>
> "Richard Mueller [MVP]" <rlmueller-NOSPAM@ameritech.NOSPAM.net> wrote in
> message news:OChpsfiEEHA.3576@TK2MSFTNGP12.phx.gbl...
> > mtothej wrote:
> >
> > > I am trying the following script to add a domain user to a local
group:
> > >
> > > Set objGroup = GetObject _
> > >     ("WinNT://remotecomputer/Administrators")
> > > Set objUser = GetObject _
> > >    ("LDAP://CN=username,OU=MyOU,OU=MyOU,DC=root,DC=mydomain,DC=org")
> > > objGroup.Add(objUser.ADsPath)
> > >
> > > I get the following error:
> > >
> > > C:\Scripts\add_domain_user_to_local_group.vbs(5, 1) Active Directory:
An
> > invalid
> > >  Active Directory pathname was passed
> > >
> > > I know the ADsPath for the user is correct because I can retrieve
> > properties from it. I know the objGroup path is correct because I can
> > enumerate the current users in the group.
> > >
> > > Is something wrong in the last line? Am I on the right track or is
there
> > another way to add a domain user to a local group? Thanks :)
> >
> > You must bind to the user object with the WinNT provider. If the
> > "cn=Username" user has sAMAccountName equal to "username", and the
NetBIOS
> > name of the domain is "MyDomain", then use
> >
> > Set objUser = GetObject("WinNT://MyDomain/username,user")
> >
> > The local group object's Add method does not understand an LDAP AdsPath.
> >
> > -- 
> > Richard
> > Microsoft MVP Scripting and ADSI
> > HilltopLab web site - http://www.rlmueller.net
> > --
> >
> >
>
>

Next message: Enyalius: "Odd error mapping network drives using VBscripting"

Previous message: Rick Kalifa: "Re: Add domain user to local group script troubleshoot"
In reply to: Rick Kalifa: "Re: Add domain user to local group script troubleshoot"
Next in thread: mtothej: "Re: Add domain user to local group script troubleshoot"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Need assistance badly!
... I have tried cobbling together a script that does this, ... I would use ADO in a VBScript program to retrieve all users with the ... Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strName, strCN ... adoConnection.Open "Active Directory Provider" ...
(microsoft.public.scripting.vbscript)
Re: domain name/LDAP redundancy
... The app currently contacts one of the DC's for the LDAP search however, ... uses ADO to retrieve the Distinguished Names of all users in the domain. ... adoConnection.Open "Active Directory Provider" ...
(microsoft.public.windows.server.active_directory)
Re: Bulk unlock user accounts
... following script from some sample on the Microsoft site. ... It makes more sense to retrieve distinguishedName. ... Dim strDN, objUser ... ' Use ADO to search Active Directory. ...
(microsoft.public.scripting.vbscript)
Re: Scripting newbie - Active Directory reporting of users/description
... Does any one have a sample script that looks at an Active Directory ... You can use ADO in a VBScript program to retrieve information about objects ...
(microsoft.public.windows.server.scripting)
Re: Restricted groups local admins
... If user is member of Administrators group on his PC, ... directory built in groups, the administrators group, that group is listed ... your Active Directory? ... Who are members of Administrators group in your Active Directory ...
(microsoft.public.windows.server.setup)