Re: Add domain user to local group script troubleshoot
From: Rick Kalifa (rkalifa_at_hotmail.com.NO_SPAM)
Date: 03/27/04
- Next message: Richard Mueller [MVP]: "Re: Add domain user to local group script troubleshoot"
- Previous message: Martin Novak: "Active directory scripting"
- In reply to: Richard Mueller [MVP]: "Re: Add domain user to local group script troubleshoot"
- Next in thread: Richard Mueller [MVP]: "Re: Add domain user to local group script troubleshoot"
- Reply: Richard Mueller [MVP]: "Re: Add domain user to local group script troubleshoot"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 26 Mar 2004 22:01:12 -0600
Richard,
This script looks like it would be extremely helpful. I'm wondering, how is
it called at logon? Is it referenced in the logon batch? and if so, what
does the command look like? I'm going to play around with this one. We are
changing domains and we have the old group in the local admins, but now we
need the exported group (in the new domain) in the local admin.
RK.
"Richard Mueller [MVP]" <rlmueller-NOSPAM@ameritech.NOSPAM.net> wrote in
message news:%233f1UTtEEHA.2908@TK2MSFTNGP09.phx.gbl...
> mtothej wrote:
>
> > Richard, thanks for the help. The WinNT path to the domain user works
> great. Here's the catch; it works great when I'm already a member of the
> local admins group. I have admin rights to my OU (we're a branch office),
> and thus my Computers OU underneath, but am not a domain admin and so am
not
> by default in the local admins group of each computer. Is there a script
> which would add a user (or group) to the local admins group of all
computers
> in an OU - I guess this would have to be run via Group Policy and dropped
on
> the computers as they booted? Otherwise it could be run by a domain admin
I
> guess. Any ideas? Thx...
>
> Hi,
>
> Actually, if you use Group Policy, the best way is to use a Startup
script.
> Startup scripts run with System privileges on the local computer (before
any
> user logs on) and can add members to the local Administrators group. Best
> practice would be to add a domain group to the local Administrators group
on
> every PC. This way, membership can be easily modified in the future
without
> touching the machines again. Group Policy can be applied to the OU.
>
> One other consideration is that it is cleaner to add the group once, and
not
> attempt to repeat the process. In the past I have used code similar to
> below, which only adds the domain group to the local group if it is not
> already a member:
>
> ' Specify AdsPath of domain group to be added to
> ' local Administrators group.
> strDomainGroup = "WinNT://MyDomain/ComputerAdmins,group"
>
> ' Bind to domain group.
> Set objDomainGroup = GetObject(strDomainGroup)
>
> ' Retrieve local computer NetBIOS name.
> Set objNetwork = CreateObject("Wscript.Network")
> strComputer = objNetwork.ComputerName
>
> ' Bind to local Administrators group.
> Set objLocalGroup = GetObject("WinNT://" & strComputer _
> & "/Administrators,group")
>
> ' Check if domain group already a member.
> If Not objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
> ' Add domain group to local group.
> objLocalGroup.Add(objDomainGroup.AdsPath)
> End If
>
> --
> Richard
> Microsoft MVP Scripting and ADSI
> HilltopLab web site - http://www.rlmueller.net
> --
>
>
- Next message: Richard Mueller [MVP]: "Re: Add domain user to local group script troubleshoot"
- Previous message: Martin Novak: "Active directory scripting"
- In reply to: Richard Mueller [MVP]: "Re: Add domain user to local group script troubleshoot"
- Next in thread: Richard Mueller [MVP]: "Re: Add domain user to local group script troubleshoot"
- Reply: Richard Mueller [MVP]: "Re: Add domain user to local group script troubleshoot"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
