Re: need to modify local group membership via VBscript

Exactly. A logon script runs with the credentials of the user, so it cannot
alter membership in the local Administrators group. The logon script would
have to use alternate credentials or a third part RunAs tool. You would hard
code the local Adminstrator username and password, but this would expose the
password.

I've been trying to get alternate credentials to work. Then perhaps this
could be done remotely. However, I've been unsuccessful. Below is my code,
but it generates an error when I use the IsMember method of the local group
object. Maybe someone else can help. If this can work for one computer, you
could combine this with the program that reads computer names from a text
file. You would need to know the Administrator password on all the machines.
If they are not the same, the text file can have both machine name and
administrator password and the program can parse the two values from each
line.

=========================
Option Explicit

Dim strComputer, strUser, strPassword
Dim objNS, objLocalGroup, objDomainGroup

Const ADS_SECURE_AUTHENTICATION = &H1

' Specify the remote computer.
strComputer = "West101"

' Specify credentials on the remote computer.
strUser = strComputer & "\Administrator"
strPassword = "xyZ4321"

' Bind to domain group with WinNT provider.
Set objDomainGroup = GetObject("WinNT://MyDomain/Domain Admins,group")
' Wscript.Echo objDomainGroup.AdsPath <== this works fine.

' Bind to local Administrators group on remote computer.
' Use alternate credentials.
Set objNS = GetObject("WinNT:")
Set objLocalGroup = objNS.OpenDSObject("WinNT://" & strComputer _
& "/Administrators,group", strUser, strPassword, _
ADS_SECURE_AUTHENTICATION)
' Wscript.Echo objLocalGroup.AdsPath < == this works fine.

' The next line generates a bad error.
If (objLocalGroup.IsMember(objDomainGroup.AdsPath) = False) Then
objLocalGroup.Add(objDomainGroup.AdsPath)
Wscript.Echo "Added Domain Admins to Administrators on " & strComputer
Else
Wscript.Echo "Domain Admins already in Administrators on " & strComputer
End If

' Clean up.
Set objDomainGroup = Nothing
Set objLocalGroup = Nothing
Set objNS = Nothing

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

"SixHouse" <NOSPAM_sixhouse@xxxxxxxxxxxxxxxx> wrote in message
news:%23a3FQkZLGHA.1312@xxxxxxxxxxxxxxxxxxxxxxx
would a simple logon script work? or no because it runs as the currently
logged in user...


"Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:ucUkFBZLGHA.2628@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

The options I can think of quickly:

1. Admin run the script on all NT computers.
2. Run the script as a logon script using RunAs or some third party tool
that allows you to specify admin credentials.
3. Run the script with alternate credentials. This hard codes the admin
username and password in the script. You would have to know the admin
password on all the machines.

Í'll have to test of this can be done remotely. I've used alternate
credentials with domain accounts, but not local accounts.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

<no@xxxxxxxx> wrote in message news:VmEGf.620$un6.6@xxxxxxxxxxx
another problem...
i have 3,000+ NT workstations, no group policy.
:(



"Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23NK$OpRLGHA.532@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I should have realized you need to be admin to begin with for this work
remotely. The script I posted was orginally used to add another domain
group to the local Administrators group. It only worked if Domain
Admins was already a member.

Startup scripts run with System privileges on the local machine. They
run with the permissions of the computer object in the domain. A
Startup script can add domain groups to the local Administrators group.
Here is a version intended to run as a Startup script, configured in
Group Policy:
=====================
Option Explicit

Dim strDomain, objNetwork, strComputer
Dim objLocalGroup, objDomainGroup

' Specify the NetBIOS name of the domain.
strDomain = "MyDomain"

' Retrieve NetBIOS name of local computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

' Bind to local Administrators group.
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")

' Bind to domain group.
Set objDomainGroup = GetObject("WinNT://" & strDomain & "/Domain
Admins,group")

' Check if the domain group is already a member of the local group.
If Not objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
' Add the domain group to the local group.
objLocalGroup.Add(objDomainGroup.AdsPath)
End If

' Clean up.
Set objNetwork = Nothing
Set objLocalGroup = Nothing
Set objDomainGroup = Nothing

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

"Umesh Thakur" <UmeshThakur@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6CB66E46-1A04-4B53-BCA1-D65003CDA0E7@xxxxxxxxxxxxxxxx
well, you will need to run the script using Group Policy...
set the policy so that script runs when computer starts.
no need to get the list of computers from a text file, below is a MS
article
on
how to add a domain group to local administrators account:

http://www.microsoft.com/technet/scriptcenter/resources/qanda/sept05/hey0923.mspx

all computers that will be affected by group policy, will execute the
script
and
the domain group tht you will specify, will be added to local
administrators
account. no need to worry about admin privileges as the script runs
under
system/localsystem account (not exactly sure, but its admin account)


--
When you are unable to keep your eyes open, do go and sleep for few
hours!!!


"SixHouse" wrote:

uh oh... i just realized....
if the domain admins group isnt in local admins, how will this script
run?
if i run it while logged in with a domain admin account it will get
access
denied. anyway to deal with this?


"Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx> wrote in
message
news:%2332EbKMLGHA.3856@xxxxxxxxxxxxxxxxxxxxxxx
SixHouse wrote:

i have a bunch of remote workstations (some xp, some NT). i need to
make
sure that the domain admins group is a member of the local admins
group on
the workstation. can i do this if i have a text file that contains
workstation names?


Hi,

The following example VBScript program should help:

Option Explicit

Dim strDomain, strFile, objFSO, objFile
Dim strComputer, objLocalGroup, objDomainGroup

' Specify the NetBIOS name of the domain.
strDomain = "MyDomain"

' Specify the text file of NetBIOS computer names.
strFile = "c:\Scripts\computers.txt"

' Bind to Domain Admins group with WinNT provider.
Set objDomainGroup = GetObject("WinNT://" & strDomain _
& "/Domain Users,group")

' Open the text file for read access.
Set objFSO = CreateObject("Wscript.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFile, 1)

' Read each line of the file
Do Until objFile.AtEndOfStream
strComputer = Trim(objFile.ReadLine)
' Skip any blank lines.
If (strComputer <> "") Then
' Bind to local Administrators group with WinNT provider.
' Trap the error if the computer is not available.
On Error Resume Next
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")
If (Err.Number = 0) Then
On Error GoTo 0
' Check if the domain group is already
' a member of the local group.
If Not objLocalGroup.IsMember(objDomainGroup.AdsPath)
Then
' Add the domain group to the local group.
objLocalGroup.Add(objDomainGroup.AdsPath)
Wscript.Echo strComputer & " - Domain Admins added"
Else
Wscript.Echo strComputer & " - Already done"
End If
Else
On Error GoTo 0
' Computer not found.
Wscript.Echo strComputer & " - Not found"
End If
End If
Loop

' Close the file
objFile.Close

' Clean up.
Set objFile = Nothing
Set objFSO = Nothing
Set objLocalGroup = Nothing
Set objDomainGroup = Nothing

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net














.

Relevant Pages

  • Re: need to modify local group membership via VBscript
    ... The script I posted was orginally used to add another domain group ... It only worked if Domain Admins was ... can add domain groups to the local Administrators group. ... how to add a domain group to local administrators account: ...
    (microsoft.public.windows.server.scripting)
  • Re: need to modify local group membership via VBscript
    ... It only worked if Domain Admins ... script can add domain groups to the local Administrators group. ... version intended to run as a Startup script, configured in Group Policy: ...
    (microsoft.public.windows.server.scripting)
  • Re: Group Policy Question
    ... script, but I really want to restrict it to individual users. ... somehow that people get added to the local admins as soon as they log in. ... ' Check if user already a member. ... Admins" group is a member of the local Administrators group (which is true ...
    (microsoft.public.win2000.active_directory)
  • Re: Adding Domain Admins to local computer administrator groups
    ... Create a machine startup GPO (machine startup will be run ... as SYSTEM context) ... >done via a script and if so can I get a copy of the ... >' Bind to local Administrators group. ...
    (microsoft.public.windows.server.scripting)
  • Finding multiple memgers of a group
    ... I am working on a script that will determin if three different ID's ... are in the local Administrators group on a long list of servers. ... Dim objGroup, strComputer, objFSO, objTextFile ... Wscript.Echo "Members of local Administrators group on computer " & ...
    (microsoft.public.scripting.vbscript)