Use the "Managed By" field in AD to set as local Admin

[ErikW]

Hi,
How can i use the "managed by" field in AD to set the user entered there as
local admin on the xp client. We are currently doing it now on our "old"
Domain but no one knows how it was done. Appreciate any help on this issue.

[Richard Mueller [MVP]]

"ErikW" <ErikW@discussions.microsoft.com> wrote in message
news:60EBE0F1-CF02-4C99-8091-7F49D10615B3@microsoft.com...
> Hi,
> How can i use the "managed by" field in AD to set the user entered there
> as
> local admin on the xp client. We are currently doing it now on our "old"
> Domain but no one knows how it was done. Appreciate any help on this
> issue.

Assuming you mean computer objects, I guess you could code a script to read
the managedBy attribute, then add that user to the local Administrators
group (assuming you want that user to be admin on only that computer). For
one computer a VBScript program that runs on the computer could be similar
to (not tested):
=======
Option Explicit

Dim objSysInfo, strComputerDN, objComputer, strManagerDN, objAdmGroup
Dim objNetwork, strComputer, objManager

Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

Set objSysInfo = CreateObject("ADSystemInfo")
strComputerDN = objSysInfo.ComputerName

Set objComputer = GetObject("LDAP://" & strComputerDN)
strManagerDN = objComputer.managedBy & ""
If (strManagerDN <> "") Then
Set objManager = GetObject("LDAP://" & strManagerDN)
Set objAdmGroup = GetObject("WinNT://" & strComputer &
"/Administrators,group")
If (objAdmGroup.IsMember(objManager.AdsPath) = False) Then
objAdmGroup.Add(objManager.AdsPath)
End If
End If
======
I suppose you could use ADO in a VBScript program to retrieve the DN of all
computer objects in the domain, then check that the user object referenced
by the managedBy attribute is a member of the local Administrators group on
each computer. This could be done once in bulk if all computers are
authenticated to the domain. Otherwise, a logon or startup script would be
alternatives, although you then have no control over when the update
happens, you should code the script to run once, and most users would lack
permissions to add members to the local Administrators group. It would be
best to do this yourself remotely as a member of Domain Admins.

If a script using ADO to handle this for all computers in bulk interests
you, reply for more. Or, figure it out yourself using the information at
this link:

http://www.rlmueller.net/ADOSearchTips.htm

The ADO query would retrieve the values of the distinguishedName,
sAMAccountName, and managedBy attributes of all computers where managedBy is
not missing. Then for each row in the resulting recordset, the script would
bind to the local Administrators group on the computer, similar to above.
The value of the sAMAccountName attribute of computer objects is the NetBIOS
name of the computer with a trailing "$" appended to the end. You would
strip off the trailing "$" to get the NetBIOS name (strComputer in the code
snippet above).

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

[ErikW]

Thank you. I'm not that into scripting these things but I will take a look
and see what I can do. I think the way must be in the logon script. "If a
script using ADO to handle this for all computers in bulk interests you,
reply for more" This is very interesting.

Erik

"Richard Mueller [MVP]" wrote:

>
> "ErikW" <ErikW@discussions.microsoft.com> wrote in message
> news:60EBE0F1-CF02-4C99-8091-7F49D10615B3@microsoft.com...
> > Hi,
> > How can i use the "managed by" field in AD to set the user entered there
> > as
> > local admin on the xp client. We are currently doing it now on our "old"
> > Domain but no one knows how it was done. Appreciate any help on this
> > issue.
>
> Assuming you mean computer objects, I guess you could code a script to read
> the managedBy attribute, then add that user to the local Administrators
> group (assuming you want that user to be admin on only that computer). For
> one computer a VBScript program that runs on the computer could be similar
> to (not tested):
> =======
> Option Explicit
>
> Dim objSysInfo, strComputerDN, objComputer, strManagerDN, objAdmGroup
> Dim objNetwork, strComputer, objManager
>
> Set objNetwork = CreateObject("Wscript.Network")
> strComputer = objNetwork.ComputerName
>
> Set objSysInfo = CreateObject("ADSystemInfo")
> strComputerDN = objSysInfo.ComputerName
>
> Set objComputer = GetObject("LDAP://" & strComputerDN)
> strManagerDN = objComputer.managedBy & ""
> If (strManagerDN <> "") Then
> Set objManager = GetObject("LDAP://" & strManagerDN)
> Set objAdmGroup = GetObject("WinNT://" & strComputer &
> "/Administrators,group")
> If (objAdmGroup.IsMember(objManager.AdsPath) = False) Then
> objAdmGroup.Add(objManager.AdsPath)
> End If
> End If
> ======
> I suppose you could use ADO in a VBScript program to retrieve the DN of all
> computer objects in the domain, then check that the user object referenced
> by the managedBy attribute is a member of the local Administrators group on
> each computer. This could be done once in bulk if all computers are
> authenticated to the domain. Otherwise, a logon or startup script would be
> alternatives, although you then have no control over when the update
> happens, you should code the script to run once, and most users would lack
> permissions to add members to the local Administrators group. It would be
> best to do this yourself remotely as a member of Domain Admins.
>
> If a script using ADO to handle this for all computers in bulk interests
> you, reply for more. Or, figure it out yourself using the information at
> this link:
>
> http://www.rlmueller.net/ADOSearchTips.htm
>
> The ADO query would retrieve the values of the distinguishedName,
> sAMAccountName, and managedBy attributes of all computers where managedBy is
> not missing. Then for each row in the resulting recordset, the script would
> bind to the local Administrators group on the computer, similar to above.
> The value of the sAMAccountName attribute of computer objects is the NetBIOS
> name of the computer with a trailing "$" appended to the end. You would
> strip off the trailing "$" to get the NetBIOS name (strComputer in the code
> snippet above).
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>

[Richard Mueller [MVP]]

"ErikW" <ErikW@discussions.microsoft.com> wrote in message
news:5B1EEE64-02BF-4ABE-B709-2B72D0058831@microsoft.com...
> Thank you. I'm not that into scripting these things but I will take a look
> and see what I can do. I think the way must be in the logon script. "If a
> script using ADO to handle this for all computers in bulk interests you,
> reply for more" This is very interesting.
>
> Erik
>

A program as I described earlier is below. I added error trapping in case a
computer is not available (and the script cannot bind to the local
Administrators group) so the program echos a message to the command line
console. The program should be run at a command prompt using cscript. Since
the program does nothing if the user is already a member of the local
Administrators group, you can run it repeatedly until there is no message
about unavailable computers. Of course whomever runs the script needs
sufficient privileges to add members to the group. By default, the group
"Domain Admins" should be a member of the local Administrators group on
every computer joined to the domain. Any member of "Domain Admins" has
permissions. I would expect most users would not have permissions, so a
logon script would fail. If normal users had permission to manage the local
Administrators group in a logon script, there would be no need for the
script.
=========
' VBScript program to make sure the user referred to by the
' managedBy attribute of every computer in the domain is a
' member of the local Administrators group.
Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset
Dim strComputerDN, strComputer, strManagerDN
Dim objAdmGroup, objManager

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on all computer objects with managedBy assigned.
strFilter = "(&(objectCategory=computer)(managedBy=*))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName,sAMAccountName,managedBy"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values
strComputerDN = adoRecordset.Fields("distinguishedName").Value
strComputer = adoRecordset.Fields("sAMAccountName").Value
strManagerDN = adoRecordset.Fields("managedBy").value
' Remove trialing "$" character to get NetBIOS name
strComputer = Left(strComputer, Len(strComputer) - 1)
' Bind to user object referred to by managedBy.
Set objManager = GetObject("LDAP://" & strManagerDN)
' Bind to local Administrators group on computer.
' Trap the error if the computer is not available.
On Error Resume Next
Set objAdmGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")
If (Err.Number = 0) Then
On Error GoTo 0
' Make sure user is a member of this group.
If (objAdmGroup.IsMember(objManager.AdsPath) = False) Then
objAdmGroup.Add(objManager.AdsPath)
End If
Else
On Error GoTo 0
Wscript.Echo "Unable to bind to Administrators group on " _
& strComputer
End If
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

[ErikW]

Thank you! I will give this a try.

"Richard Mueller [MVP]" wrote:

>
> "ErikW" <ErikW@discussions.microsoft.com> wrote in message
> news:5B1EEE64-02BF-4ABE-B709-2B72D0058831@microsoft.com...
> > Thank you. I'm not that into scripting these things but I will take a look
> > and see what I can do. I think the way must be in the logon script. "If a
> > script using ADO to handle this for all computers in bulk interests you,
> > reply for more" This is very interesting.
> >
> > Erik
> >
>
> A program as I described earlier is below. I added error trapping in case a
> computer is not available (and the script cannot bind to the local
> Administrators group) so the program echos a message to the command line
> console. The program should be run at a command prompt using cscript. Since
> the program does nothing if the user is already a member of the local
> Administrators group, you can run it repeatedly until there is no message
> about unavailable computers. Of course whomever runs the script needs
> sufficient privileges to add members to the group. By default, the group
> "Domain Admins" should be a member of the local Administrators group on
> every computer joined to the domain. Any member of "Domain Admins" has
> permissions. I would expect most users would not have permissions, so a
> logon script would fail. If normal users had permission to manage the local
> Administrators group in a logon script, there would be no need for the
> script.
> =========
> ' VBScript program to make sure the user referred to by the
> ' managedBy attribute of every computer in the domain is a
> ' member of the local Administrators group.
> Option Explicit
>
> Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
> Dim objRootDSE, strDNSDomain, strQuery, adoRecordset
> Dim strComputerDN, strComputer, strManagerDN
> Dim objAdmGroup, objManager
>
> ' Setup ADO objects.
> Set adoCommand = CreateObject("ADODB.Command")
> Set adoConnection = CreateObject("ADODB.Connection")
> adoConnection.Provider = "ADsDSOObject"
> adoConnection.Open "Active Directory Provider"
> adoCommand.ActiveConnection = adoConnection
>
> ' Search entire Active Directory domain.
> Set objRootDSE = GetObject("LDAP://RootDSE")
> strDNSDomain = objRootDSE.Get("defaultNamingContext")
> strBase = "<LDAP://" & strDNSDomain & ">"
>
> ' Filter on all computer objects with managedBy assigned.
> strFilter = "(&(objectCategory=computer)(managedBy=*))"
>
> ' Comma delimited list of attribute values to retrieve.
> strAttributes = "distinguishedName,sAMAccountName,managedBy"
>
> ' Construct the LDAP syntax query.
> strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
> adoCommand.CommandText = strQuery
> adoCommand.Properties("Page Size") = 100
> adoCommand.Properties("Timeout") = 30
> adoCommand.Properties("Cache Results") = False
>
> ' Run the query.
> Set adoRecordset = adoCommand.Execute
>
> ' Enumerate the resulting recordset.
> Do Until adoRecordset.EOF
> ' Retrieve values
> strComputerDN = adoRecordset.Fields("distinguishedName").Value
> strComputer = adoRecordset.Fields("sAMAccountName").Value
> strManagerDN = adoRecordset.Fields("managedBy").value
> ' Remove trialing "$" character to get NetBIOS name
> strComputer = Left(strComputer, Len(strComputer) - 1)
> ' Bind to user object referred to by managedBy.
> Set objManager = GetObject("LDAP://" & strManagerDN)
> ' Bind to local Administrators group on computer.
> ' Trap the error if the computer is not available.
> On Error Resume Next
> Set objAdmGroup = GetObject("WinNT://" & strComputer _
> & "/Administrators,group")
> If (Err.Number = 0) Then
> On Error GoTo 0
> ' Make sure user is a member of this group.
> If (objAdmGroup.IsMember(objManager.AdsPath) = False) Then
> objAdmGroup.Add(objManager.AdsPath)
> End If
> Else
> On Error GoTo 0
> Wscript.Echo "Unable to bind to Administrators group on " _
> & strComputer
> End If
> ' Move to the next record in the recordset.
> adoRecordset.MoveNext
> Loop
>
> ' Clean up.
> adoRecordset.Close
> adoConnection.Close
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>