Results 1 to 6 of 6

Thread: Domain user to local administrators group

  1. #1
    Join Date
    Sep 2009
    Posts
    1

    Domain user to local administrators group

    Hi Everyone,

    I need a VB Script for adding domain users to be a member of local administrators group.

    Thanks in Advance.

  2. #2
    Al Dunbar Guest

    Re: Domain user to local administrators group


    "alimk" <alimk.3z507c@DoNotSpam.com> wrote in message
    news:alimk.3z507c@DoNotSpam.com...
    >
    > Hi Everyone,
    >
    > I need a VB Script for adding domain users to be a member of local
    > administrators group.
    >
    > Thanks in Advance.
    >
    >
    > --
    > alimk
    > ------------------------------------------------------------------------
    > alimk's Profile: http://forums.techarena.in/members/138796.htm
    > View this thread: http://forums.techarena.in/server-scripting/1251594.htm
    >
    > http://forums.techarena.in
    >


    Show us what you have so far.

    /Al



  3. #3
    Richard Mueller [MVP] Guest

    Re: Domain user to local administrators group


    "alimk" <alimk.3z507c@DoNotSpam.com> wrote in message
    news:alimk.3z507c@DoNotSpam.com...
    >
    > Hi Everyone,
    >
    > I need a VB Script for adding domain users to be a member of local
    > administrators group.
    >
    > Thanks in Advance.
    >
    >
    > --
    > alimk
    > ------------------------------------------------------------------------
    > alimk's Profile: http://forums.techarena.in/members/138796.htm
    > View this thread: http://forums.techarena.in/server-scripting/1251594.htm
    >
    > http://forums.techarena.in
    >


    The key is that you must use the WinNT provider, since the local SAM account
    database is not LDAP compliant. I bind to both the group and user (or any
    new member) objects, so I am sure they exist and I have the correct ADsPath.
    I use the Add method to add the new member, and the IsMember method to check
    if the user (or group) is already a member. For example:
    ===========
    ' Bind to the local administrators group object on the computer.
    Set objGroup = GetObject("WinNT://MyComputer/Administrator,group")

    ' Bind to the user or group object, in this case a domain user.
    Set objUser = GetObject("WinNT://MyDomain/jsmith,user")

    ' Check if already a member.
    If (objGroup.IsMember(objUser.ADsPath) = False) Then
    ' Add the new member.
    objGroup.Add(objUser.ADsPath)
    End If
    =========
    I would recommend adding a domain group instead of a domain user to the
    local Administrators group. The role of the domain user could change, but
    the role of the domain group would not. You need only change the domain
    group membership. Also, this should not be done in a logon script, as most
    users should not have sufficient permissions.

    --
    Richard Mueller
    MVP Directory Services
    Hilltop Lab - http://www.rlmueller.net
    --



  4. #4
    Lanwench [MVP - Exchange] Guest

    Re: Domain user to local administrators group

    alimk <alimk.3z507c@DoNotSpam.com> wrote:
    > Hi Everyone,
    >
    > I need a VB Script for adding domain users to be a member of local
    > administrators group.
    >
    > Thanks in Advance.


    Why does it especially need to be vbscript? A simple batch file startup
    script in a GPO will do this. My advice would be to set up a universal
    security group called LocalAdmin in AD. Add the users you wish to it

    Use this in a batch file assigned as a startup script via GPO...

    net localgroup administrators DOMAIN\localadmin /add



  5. #5
    Richard Mueller [MVP] Guest

    Re: Domain user to local administrators group


    "Lanwench [MVP - Exchange]"
    <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message
    news:udvAj7RQKHA.3876@TK2MSFTNGP06.phx.gbl...
    > alimk <alimk.3z507c@DoNotSpam.com> wrote:
    >> Hi Everyone,
    >>
    >> I need a VB Script for adding domain users to be a member of local
    >> administrators group.
    >>
    >> Thanks in Advance.

    >
    > Why does it especially need to be vbscript? A simple batch file startup
    > script in a GPO will do this. My advice would be to set up a universal
    > security group called LocalAdmin in AD. Add the users you wish to it
    >
    > Use this in a batch file assigned as a startup script via GPO...
    >
    > net localgroup administrators DOMAIN\localadmin /add


    I would recommend that this not be done in a logon script, whether batch
    file or VBScript, because normal users should not have permission and
    administrator credentials should not be exposed in a logon script. Also, if
    done in a logon script the task can be repeated over and over, and yet you
    don't know when the task is complete for each computer. The VBScript program
    has the advantage of checking first to see if the user/group needs to be
    added, but unless it logs to a shared file, you still don't know when the
    task is complete.

    Better is to add the user or group to the local Administrators group
    remotely yourself. The VBScript example I posted can be run remotely, as
    long as the person is a member of the Domain Admins group, which by default
    should be a member of the local Administrators group for all computers
    joined to the domain. You could code a script to do this in bulk for all
    computers, or computer names read from a text file.

    An even better solution is to use the Restricted Groups feature of Group
    Policy. Again, a domain group should be added to all local Administrators
    groups, so it can be managed easily in AD. See these links for details:

    http://support.microsoft.com/kb/279301

    http://technet.microsoft.com/en-us/l...31(WS.10).aspx

    http://support.microsoft.com/kb/810076

    --
    Richard Mueller
    MVP Directory Services
    Hilltop Lab - http://www.rlmueller.net
    --



  6. #6
    Lanwench [MVP - Exchange] Guest

    Re: Domain user to local administrators group

    Richard Mueller [MVP] <rlmueller-nospam@ameritech.nospam.net> wrote:
    > "Lanwench [MVP - Exchange]"
    > <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in
    > message news:udvAj7RQKHA.3876@TK2MSFTNGP06.phx.gbl...
    >> alimk <alimk.3z507c@DoNotSpam.com> wrote:
    >>> Hi Everyone,
    >>>
    >>> I need a VB Script for adding domain users to be a member of local
    >>> administrators group.
    >>>
    >>> Thanks in Advance.

    >>
    >> Why does it especially need to be vbscript? A simple batch file
    >> startup script in a GPO will do this. My advice would be to set up a
    >> universal security group called LocalAdmin in AD. Add the users you
    >> wish to it Use this in a batch file assigned as a startup script via
    >> GPO...
    >>
    >> net localgroup administrators DOMAIN\localadmin /add

    >
    > I would recommend that this not be done in a logon script,


    Nor I - that's why I suggested a startup script. Users will never see it.
    (and this wouldn't work in a login script anyway because it would run in the
    user context, and require that the user have admin rights). It isn't the
    most elegant solution, but it sure is simple.

    > whether
    > batch file or VBScript, because normal users should not have
    > permission and administrator credentials should not be exposed in a
    > logon script. Also, if done in a logon script the task can be
    > repeated over and over, and yet you don't know when the task is
    > complete for each computer.


    Yes, true for a startup script as well, but this is such a simple thing that
    it doesn't hurt anything to re-add. The only thing that will happen when you
    run the command is that it will say (not visible to anyone) that the group
    is already a member of the group, and move on. It takes no time at all. And
    it ensures that any new PC added to the domain will get this setting.

    > The VBScript program has the advantage of
    > checking first to see if the user/group needs to be added, but unless
    > it logs to a shared file, you still don't know when the task is
    > complete.
    > Better is to add the user or group to the local Administrators group
    > remotely yourself. The VBScript example I posted can be run remotely,
    > as long as the person is a member of the Domain Admins group, which
    > by default should be a member of the local Administrators group for
    > all computers joined to the domain. You could code a script to do
    > this in bulk for all computers, or computer names read from a text
    > file.
    > An even better solution is to use the Restricted Groups feature of
    > Group Policy. Again, a domain group should be added to all local
    > Administrators groups, so it can be managed easily in AD. See these
    > links for details:


    Yes, that's a very good option. The reason I don't generally use it is that
    I
    sometimes want different PCs to have different local group membership.
    >
    > http://support.microsoft.com/kb/279301
    >
    > http://technet.microsoft.com/en-us/l...31(WS.10).aspx
    >
    > http://support.microsoft.com/kb/810076
    >
    > --
    > Richard Mueller
    > MVP Directory Services
    > Hilltop Lab - http://www.rlmueller.net


    BTW, I generally bow before your scripting prowess, you know. :-)





Similar Threads

  1. Add domain user\group to local admin group problem
    By Landon in forum Active Directory
    Replies: 3
    Last Post: 16-10-2009, 09:30 PM
  2. Replies: 2
    Last Post: 23-02-2009, 09:11 PM
  3. Builtin\administrators group vs domain admins group
    By weaverbeaver in forum Windows Server Help
    Replies: 4
    Last Post: 14-01-2009, 04:07 AM
  4. Replies: 3
    Last Post: 17-06-2008, 03:16 PM
  5. Replies: 4
    Last Post: 04-06-2008, 05:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •