Re: Scripting questions

---

• From: "John" <pursca2008@xxxxxxxxxxxxxxxx>
• Date: Thu, 5 Jun 2008 05:13:21 -0700

---

Thanks very much, Richard!!!

Could you please give me a guide on how to achieve the same goals without using "WinNT" provider and use LDAP query?

Thanks!
John

"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in message news:eMPRLbQwIHA.420@xxxxxxxxxxxxxxxxxxxxxxx

See comments inline below:

"John" <pursca2008@xxxxxxxxxxxxxxxx> wrote in message news:7B3A7A7F-9A10-4A12-A6F2-C7C154DFA8B3@xxxxxxxxxxxxxxxx
Hi, gurus,

What is the best way to archive the following tasks:

1. list all users (domain and local) in local administrators group on remote computer

I have an example VBScript program that enumerates the members of any local group linked here:

http://www.rlmueller.net/Enumerate%20Local%20Group.htm

This handles direct local members, local group nesting, direct domain members, and nesting of the domain groups. For example, JUser could be a member of domain group "Sales", which is a member of domain group "West", which is a member of the local Administrators group on computer "WST101". The program will reveal that.

Note if the aim is to determine everyone with administrator privileges, the local Administrators group could be renamed. Also, a user could be given permissions directly without being a member of the local Administrators group. Another method is to attempt to do something in a script that requires administrator privileges and trap the possible error if it fails.

2. remove user from local administrators group on remote computer

Bind to the local administrators group on the remote computer and use the Remove method of the group object. You must use the WinNT provider. You pass the AdsPath of the member to remove. I generally bind to the member to make sure I have the correct AdsPath. I also first make sure they are a member, using the IsMember method. For example:
============
' Bind to remote computer Administrator group.
Set objLocalAdmin = GetObject("WinNT://TestComputer,Administrators,group")

' Bind to member to remove. You must use the WinNT provider.
Set objMember = GetObject("WinNT://MyDomain/JUser,user")

' Check if a member.
If (objLocalAdmin.IsMember(objMember.AdsPath) = True) Then
' Remove the member from the group.
objLocalAdmin.Remove(objMember.AdsPath)
End If
===========

3. add domain user account to local administrators group on remote computer

Bind to the local Administrators group on the remote computer and the domain user object, both with the WinNT provider, and use the Add method of the group object. For example:
=========
' Bind to remote computer Administrator group.
Set objLocalAdmin = GetObject("WinNT://TestComputer,Administrators,group")

' Bind to domain user to add. You must use the WinNT provider.
Set objMember = GetObject("WinNT://MyDomain/JUser,user")

' Check if a member.
If (objLocalAdmin.IsMember(objMember.AdsPath) = True) Then
' Add the user to the group.
objLocalAdmin.Add(objMember.AdsPath)
End If
========
I would recommend adding domain groups instead of individual domain users. It is easier to manage the membership of the domain group.

3. remove local user account from remote computer

Similar, except you bind to the local user:
========
' Bind to remote computer Administrator group.
Set objLocalAdmin = GetObject("WinNT://TestComputer,Administrators,group")

' Bind to local user to remove.
Set objMember = GetObject("WinNT://TestComputer/TUser,user")

' Check if a member.
If (objLocalAdmin.IsMember(objMember.AdsPath) = True) Then
' Remove the user from the group.
objLocalAdmin.Remove(objMember.AdsPath)
End If
========
All of this can be done remotely, as long as your are logged into the domain with an account that is a member of the local Administrators group on the remote computer. By default, the "Domain Admins" group is added to the local Administrators group when the computer is joined to the domain, so it should suffice to be a member of this domain group. Of course the remote computer must be online and accessible.

I hope this helps.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

.

---

• Follow-Ups:
  • Re: Scripting questions
    • From: Richard Mueller [MVP]

• Prev by Date: Re: Runtime error
• Next by Date: Re: How to change PASSWORD expiration settings with command line?
• Previous by thread: Re: Runtime error
• Next by thread: Re: Scripting questions
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Identifying users with local admin rights? ... or Power Users group on the machine they are logging in on? ... It's straightforward to determine if the user is a direct member of the ... ' User is a direct member of the local Administrators group. ... (microsoft.public.scripting.vbscript) Re: Scripting questions ... cannot use the LDAP provider with local objects. ... You must use the WinNT ... which is a member of the local Administrators group on computer "WST101". ... (microsoft.public.windows.server.scripting) RE: DFS ... Permissions or Group Memberships Required to Administer DFS Namespaces ... Creating or removing a domain-based DFS root on a member server ... Directory and membership in the local Administrators group on the root server ... (microsoft.public.windows.server.general) Re: Scripting questions ... which is a member of the local Administrators group on computer "WST101". ... Bind to the local administrators group on the remote computer and use the ... (microsoft.public.windows.server.scripting) Re: Whos got local admin group script AGAINST OU ... object and enumerate child objects within. ... you would modify to bind to the OU object. ... computer bind to the local Administrators group and enumerate the members. ... ' Enumerate direct members of the group. ... (microsoft.public.windows.server.scripting)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.scripting  > 2008-06