Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Become a Member!
Forgot your username/password?
Register Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



Domain user to local administrators group

Windows Server Help


Reply
 
Thread Tools Search this Thread
  #1  
Old 27-09-2009
Member
 
Join Date: Sep 2009
Posts: 1
Domain user to local administrators group

Hi Everyone,

I need a VB Script for adding domain users to be a member of local administrators group.

Thanks in Advance.

Reply With Quote
  #2  
Old 27-09-2009
Al Dunbar
 
Posts: n/a
Re: Domain user to local administrators group


"alimk" <alimk.3z507c@DoNotSpam.com> wrote in message
news:alimk.3z507c@DoNotSpam.com...
>
> Hi Everyone,
>
> I need a VB Script for adding domain users to be a member of local
> administrators group.
>
> Thanks in Advance.
>
>
> --
> alimk
> ------------------------------------------------------------------------
> alimk's Profile: http://forums.techarena.in/members/138796.htm
> View this thread: http://forums.techarena.in/server-scripting/1251594.htm
>
> http://forums.techarena.in
>


Show us what you have so far.

/Al


Reply With Quote
  #3  
Old 28-09-2009
Richard Mueller [MVP]
 
Posts: n/a
Re: Domain user to local administrators group


"alimk" <alimk.3z507c@DoNotSpam.com> wrote in message
news:alimk.3z507c@DoNotSpam.com...
>
> Hi Everyone,
>
> I need a VB Script for adding domain users to be a member of local
> administrators group.
>
> Thanks in Advance.
>
>
> --
> alimk
> ------------------------------------------------------------------------
> alimk's Profile: http://forums.techarena.in/members/138796.htm
> View this thread: http://forums.techarena.in/server-scripting/1251594.htm
>
> http://forums.techarena.in
>


The key is that you must use the WinNT provider, since the local SAM account
database is not LDAP compliant. I bind to both the group and user (or any
new member) objects, so I am sure they exist and I have the correct ADsPath.
I use the Add method to add the new member, and the IsMember method to check
if the user (or group) is already a member. For example:
===========
' Bind to the local administrators group object on the computer.
Set objGroup = GetObject("WinNT://MyComputer/Administrator,group")

' Bind to the user or group object, in this case a domain user.
Set objUser = GetObject("WinNT://MyDomain/jsmith,user")

' Check if already a member.
If (objGroup.IsMember(objUser.ADsPath) = False) Then
' Add the new member.
objGroup.Add(objUser.ADsPath)
End If
=========
I would recommend adding a domain group instead of a domain user to the
local Administrators group. The role of the domain user could change, but
the role of the domain group would not. You need only change the domain
group membership. Also, this should not be done in a logon script, as most
users should not have sufficient permissions.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


Reply With Quote
  #4  
Old 29-09-2009
Lanwench [MVP - Exchange]
 
Posts: n/a
Re: Domain user to local administrators group

alimk <alimk.3z507c@DoNotSpam.com> wrote:
> Hi Everyone,
>
> I need a VB Script for adding domain users to be a member of local
> administrators group.
>
> Thanks in Advance.


Why does it especially need to be vbscript? A simple batch file startup
script in a GPO will do this. My advice would be to set up a universal
security group called LocalAdmin in AD. Add the users you wish to it

Use this in a batch file assigned as a startup script via GPO...

net localgroup administrators DOMAIN\localadmin /add


Reply With Quote
  #5  
Old 29-09-2009
Richard Mueller [MVP]
 
Posts: n/a
Re: Domain user to local administrators group


"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
news:udvAj7RQKHA.3876@TK2MSFTNGP06.phx.gbl...
> alimk <alimk.3z507c@DoNotSpam.com> wrote:
>> Hi Everyone,
>>
>> I need a VB Script for adding domain users to be a member of local
>> administrators group.
>>
>> Thanks in Advance.

>
> Why does it especially need to be vbscript? A simple batch file startup
> script in a GPO will do this. My advice would be to set up a universal
> security group called LocalAdmin in AD. Add the users you wish to it
>
> Use this in a batch file assigned as a startup script via GPO...
>
> net localgroup administrators DOMAIN\localadmin /add


I would recommend that this not be done in a logon script, whether batch
file or VBScript, because normal users should not have permission and
administrator credentials should not be exposed in a logon script. Also, if
done in a logon script the task can be repeated over and over, and yet you
don't know when the task is complete for each computer. The VBScript program
has the advantage of checking first to see if the user/group needs to be
added, but unless it logs to a shared file, you still don't know when the
task is complete.

Better is to add the user or group to the local Administrators group
remotely yourself. The VBScript example I posted can be run remotely, as
long as the person is a member of the Domain Admins group, which by default
should be a member of the local Administrators group for all computers
joined to the domain. You could code a script to do this in bulk for all
computers, or computer names read from a text file.

An even better solution is to use the Restricted Groups feature of Group
Policy. Again, a domain group should be added to all local Administrators
groups, so it can be managed easily in AD. See these links for details:

http://support.microsoft.com/kb/279301

http://technet.microsoft.com/en-us/l...31(WS.10).aspx

http://support.microsoft.com/kb/810076

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


Reply With Quote
  #6  
Old 30-09-2009
Lanwench [MVP - Exchange]
 
Posts: n/a
Re: Domain user to local administrators group

Richard Mueller [MVP] <rlmueller-nospam@ameritech.nospam.net> wrote:
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
> message news:udvAj7RQKHA.3876@TK2MSFTNGP06.phx.gbl...
>> alimk <alimk.3z507c@DoNotSpam.com> wrote:
>>> Hi Everyone,
>>>
>>> I need a VB Script for adding domain users to be a member of local
>>> administrators group.
>>>
>>> Thanks in Advance.

>>
>> Why does it especially need to be vbscript? A simple batch file
>> startup script in a GPO will do this. My advice would be to set up a
>> universal security group called LocalAdmin in AD. Add the users you
>> wish to it Use this in a batch file assigned as a startup script via
>> GPO...
>>
>> net localgroup administrators DOMAIN\localadmin /add

>
> I would recommend that this not be done in a logon script,


Nor I - that's why I suggested a startup script. Users will never see it.
(and this wouldn't work in a login script anyway because it would run in the
user context, and require that the user have admin rights). It isn't the
most elegant solution, but it sure is simple.

> whether
> batch file or VBScript, because normal users should not have
> permission and administrator credentials should not be exposed in a
> logon script. Also, if done in a logon script the task can be
> repeated over and over, and yet you don't know when the task is
> complete for each computer.


Yes, true for a startup script as well, but this is such a simple thing that
it doesn't hurt anything to re-add. The only thing that will happen when you
run the command is that it will say (not visible to anyone) that the group
is already a member of the group, and move on. It takes no time at all. And
it ensures that any new PC added to the domain will get this setting.

> The VBScript program has the advantage of
> checking first to see if the user/group needs to be added, but unless
> it logs to a shared file, you still don't know when the task is
> complete.
> Better is to add the user or group to the local Administrators group
> remotely yourself. The VBScript example I posted can be run remotely,
> as long as the person is a member of the Domain Admins group, which
> by default should be a member of the local Administrators group for
> all computers joined to the domain. You could code a script to do
> this in bulk for all computers, or computer names read from a text
> file.
> An even better solution is to use the Restricted Groups feature of
> Group Policy. Again, a domain group should be added to all local
> Administrators groups, so it can be managed easily in AD. See these
> links for details:


Yes, that's a very good option. The reason I don't generally use it is that
I
sometimes want different PCs to have different local group membership.
>
> http://support.microsoft.com/kb/279301
>
> http://technet.microsoft.com/en-us/l...31(WS.10).aspx
>
> http://support.microsoft.com/kb/810076
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net


BTW, I generally bow before your scripting prowess, you know. :-)




Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Windows Server Help
Tags: , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "Domain user to local administrators group"
Thread Thread Starter Forum Replies Last Post
Add domain user\group to local admin group problem Landon Active Directory 3 16-10-2009 09:30 PM
Remove user account from local administrators group via GPO Dil-Ber Active Directory 2 23-02-2009 09:11 PM
Builtin\administrators group vs domain admins group weaverbeaver Windows Server Help 4 14-01-2009 04:07 AM
Automatically Adding Domain Groups into Local Administrators group Frragrant Active Directory 3 17-06-2008 03:16 PM
Looking for way to enumerate members of local administrators group Mark Windows Server Help 4 04-06-2008 05:44 PM


All times are GMT +5.5. The time now is 07:46 PM.