Re: How to make a AD group member of the local administrators grou

The group objects are treated just like user objects. In my example, I added
one domain group and one domain user to the local group. You can certainly
add two domain groups instead.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Clemens de Brouwer" <ClemensdeBrouwer@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:BD58BA3F-6C6A-458A-91E3-15E10F559B68@xxxxxxxxxxxxxxxx
Thanks for reaction, but I need two AD groups to become a member of the
local
administrators group.

Can I use your script and replace the user ingo with the group info or do
I
need something else??

with kind regards

Clemens de Brouwer

"Richard Mueller [MVP]" wrote:

You can, of course, make the two users members of a domain group and add
that group to the local Administrators group. This gives more
flexibility,
for example if jobs change. That said, you must use the WinNT provider
when
dealing with local accounts. For example:
================
' Bind to domain objects.
Set objDomainUser = GetObject("WinNT://MyDomain/JSmith,user")
Set objDomainGroup = GetObject("WinNT://MyDomain/TestGroup,group")

' Bind to local group.
strComputer = "WST231"
Set objLocalGroup = GetObject("WinNT://" & strComputer &
"/Administrators,group")

' Check if user already a member.
If (objLocalGroup.IsMember(objDomainUser.AdsPath) = False) Then
' Add user to group.
objLocalGroup.Add(objDomainUser.AdsPath)
End If

' Check if group already a member.
If (objLocalGroup.IsMember(objDomainGroup.AdsPat) = False) Then
' Add group to group.
objLocalGroup.Add(objDomainGroup.AdsPath)
End If
=============
This can be done remotely (If you are a member of Domain Admins and this
group is still a member of the local Administrators group). It cannot be
done in a logon script, as most users should not have permission. It
could
be done in a Startup script, as they run with System privileges on the
local
computer.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Clemens de Brouwer" <clemens66@xxxxxxxxxxxxx> wrote in message
news:4C0169DD-35CC-441C-AA60-D727FF32F470@xxxxxxxxxxxxxxxx
Because in a GPO this is done using the restricted group option. And we
need
to also add local users to the administrator group which will be
deleted
by
the GPO when we use the restricted group option.

And we need two domain groups to be member of the local administrators
group.

I'm creating a vbscript which creates the local users, set there
passwords
and makes them member of the local administrators group. This script
also
has to add the two domain groups to the local administrators group

I hope this makes it clear to you why we needs this to a script.

with kind regards

--
Clemens de Brouwer
LogicaCMG
Eindhoven (the Netherlands)


"Kenneth Bess" wrote:

Hi,

Why not creating a GPO instead - I think that is the best thing to do
in
this case.

Regards,
Kenneth

"Clemens de Brouwer" <clemens66@xxxxxxxxxxxxx> wrote in message
news:91D93564-C5E8-4CA6-ADE2-A91960891656@xxxxxxxxxxxxxxxx
I need to make a vbscript which makes two groups present in an Active
Directory Domain member of the computers local Administrators group.

Any sugestions?

--
Clemens de Brouwer
LogicaCMG
Eindhoven (the Netherlands)








.

Relevant Pages

  • Re: Finding multiple memgers of a group
    ... someone point me to a sample script or discussion on finding multiple ... Dim objGroup, strComputer, objFSO, objTextFile ... Wscript.Echo "Members of local Administrators group on computer " & ... method and it returns True if the corresponding object is a member. ...
    (microsoft.public.scripting.vbscript)
  • Re: How to make a AD group member of the local administrators grou
    ... How can we use the script for multiple computers. ... user account to 100 computers local admin group ... ' Check if group already a member. ... group is still a member of the local Administrators group). ...
    (microsoft.public.windows.server.scripting)
  • Re: How to make a AD group member of the local administrators grou
    ... Clemens de Brouwer ... Can I use your script and replace the user ingo with the group info or do ... ' Check if group already a member. ... group is still a member of the local Administrators group). ...
    (microsoft.public.windows.server.scripting)
  • Re: Group Policy Question
    ... script, but I really want to restrict it to individual users. ... somehow that people get added to the local admins as soon as they log in. ... ' Check if user already a member. ... Admins" group is a member of the local Administrators group (which is true ...
    (microsoft.public.win2000.active_directory)
  • Re: How to make a AD group member of the local administrators grou
    ... ' Check if group already a member. ... group is still a member of the local Administrators group). ... done in a logon script, as most users should not have permission. ... And we need two domain groups to be member of the local administrators ...
    (microsoft.public.windows.server.scripting)
Loading