Re: Scripting questions

---

• From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 28 May 2008 16:07:07 -0500

---

See comments inline below:

"John" <pursca2008@xxxxxxxxxxxxxxxx> wrote in message
news:7B3A7A7F-9A10-4A12-A6F2-C7C154DFA8B3@xxxxxxxxxxxxxxxx
Hi, gurus,

What is the best way to archive the following tasks:

1. list all users (domain and local) in local administrators group on remote
computer

I have an example VBScript program that enumerates the members of any local
group linked here:

http://www.rlmueller.net/Enumerate%20Local%20Group.htm

This handles direct local members, local group nesting, direct domain
members, and nesting of the domain groups. For example, JUser could be a
member of domain group "Sales", which is a member of domain group "West",
which is a member of the local Administrators group on computer "WST101".
The program will reveal that.

Note if the aim is to determine everyone with administrator privileges, the
local Administrators group could be renamed. Also, a user could be given
permissions directly without being a member of the local Administrators
group. Another method is to attempt to do something in a script that
requires administrator privileges and trap the possible error if it fails.

2. remove user from local administrators group on remote computer

Bind to the local administrators group on the remote computer and use the
Remove method of the group object. You must use the WinNT provider. You pass
the AdsPath of the member to remove. I generally bind to the member to make
sure I have the correct AdsPath. I also first make sure they are a member,
using the IsMember method. For example:
============
' Bind to remote computer Administrator group.
Set objLocalAdmin = GetObject("WinNT://TestComputer,Administrators,group")

' Bind to member to remove. You must use the WinNT provider.
Set objMember = GetObject("WinNT://MyDomain/JUser,user")

' Check if a member.
If (objLocalAdmin.IsMember(objMember.AdsPath) = True) Then
' Remove the member from the group.
objLocalAdmin.Remove(objMember.AdsPath)
End If
===========

3. add domain user account to local administrators group on remote computer

Bind to the local Administrators group on the remote computer and the domain
user object, both with the WinNT provider, and use the Add method of the
group object. For example:
=========
' Bind to remote computer Administrator group.
Set objLocalAdmin = GetObject("WinNT://TestComputer,Administrators,group")

' Bind to domain user to add. You must use the WinNT provider.
Set objMember = GetObject("WinNT://MyDomain/JUser,user")

' Check if a member.
If (objLocalAdmin.IsMember(objMember.AdsPath) = True) Then
' Add the user to the group.
objLocalAdmin.Add(objMember.AdsPath)
End If
========
I would recommend adding domain groups instead of individual domain users.
It is easier to manage the membership of the domain group.

3. remove local user account from remote computer

Similar, except you bind to the local user:
========
' Bind to remote computer Administrator group.
Set objLocalAdmin = GetObject("WinNT://TestComputer,Administrators,group")

' Bind to local user to remove.
Set objMember = GetObject("WinNT://TestComputer/TUser,user")

' Check if a member.
If (objLocalAdmin.IsMember(objMember.AdsPath) = True) Then
' Remove the user from the group.
objLocalAdmin.Remove(objMember.AdsPath)
End If
========
All of this can be done remotely, as long as your are logged into the domain
with an account that is a member of the local Administrators group on the
remote computer. By default, the "Domain Admins" group is added to the local
Administrators group when the computer is joined to the domain, so it should
suffice to be a member of this domain group. Of course the remote computer
must be online and accessible.

I hope this helps.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


.

---

• References:
  • Scripting questions
    • From: John

• Prev by Date: installing software using startup scripts in group policy 2003
• Next by Date: Re: installing software using startup scripts in group policy 2003
• Previous by thread: Scripting questions
• Next by thread: installing software using startup scripts in group policy 2003
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: List users in local administrators group on remote machine ... list all users in local administrators group on ... remove user from local administrators group on remote computer ... ' Check first if they are already a direct member. ... (microsoft.public.windows.server.scripting) Re: Scripting questions ... list all users in local administrators group on remote computer ... For example, JUser could be a member of domain group "Sales", which is a member of domain group "West", which is a member of the local Administrators group on computer "WST101". ... Bind to the local administrators group on the remote computer and use the Remove method of the group object. ... (microsoft.public.windows.server.scripting) Re: Add domain usergroup to local admin group problem ... The Windows 2008 member server is a default install ... administrators group it does not list the AD group I added. ... member of the local Administrators group of the member server. ... (microsoft.public.windows.server.active_directory) Re: List users in local administrators group on remote machine ... list all users in local administrators group on ... remove user from local administrators group on remote computer ... net localgroup administrators nick /delete ... (microsoft.public.windows.server.scripting) Re: Local Administrators ... whether there is an issue adding a member to a machine local group. ... Is "installers" shown in the list of members in Administrators? ... member of the Administrators group on local computers. ... Group to the Local Administrators Group anymore. ... (microsoft.public.windows.server.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.scripting  > 2008-05