Discussion:
Domain user to local administrators group
(too old to reply)
alimk
2009-09-26 19:44:14 UTC
Permalink
Hi Everyone,

I need a VB Script for adding domain users to be a member of loca
administrators group.

Thanks in Advance

--
alim
-----------------------------------------------------------------------
alimk's Profile: http://forums.techarena.in/members/138796.ht
View this thread: http://forums.techarena.in/server-scripting/1251594.ht

http://forums.techarena.i
Al Dunbar
2009-09-27 15:40:23 UTC
Permalink
Post by alimk
Hi Everyone,
I need a VB Script for adding domain users to be a member of local
administrators group.
Thanks in Advance.
--
alimk
------------------------------------------------------------------------
alimk's Profile: http://forums.techarena.in/members/138796.htm
View this thread: http://forums.techarena.in/server-scripting/1251594.htm
http://forums.techarena.in
Show us what you have so far.

/Al
Richard Mueller [MVP]
2009-09-27 20:40:51 UTC
Permalink
Post by alimk
Hi Everyone,
I need a VB Script for adding domain users to be a member of local
administrators group.
Thanks in Advance.
--
alimk
------------------------------------------------------------------------
alimk's Profile: http://forums.techarena.in/members/138796.htm
View this thread: http://forums.techarena.in/server-scripting/1251594.htm
http://forums.techarena.in
The key is that you must use the WinNT provider, since the local SAM account
database is not LDAP compliant. I bind to both the group and user (or any
new member) objects, so I am sure they exist and I have the correct ADsPath.
I use the Add method to add the new member, and the IsMember method to check
if the user (or group) is already a member. For example:
===========
' Bind to the local administrators group object on the computer.
Set objGroup = GetObject("WinNT://MyComputer/Administrator,group")

' Bind to the user or group object, in this case a domain user.
Set objUser = GetObject("WinNT://MyDomain/jsmith,user")

' Check if already a member.
If (objGroup.IsMember(objUser.ADsPath) = False) Then
' Add the new member.
objGroup.Add(objUser.ADsPath)
End If
=========
I would recommend adding a domain group instead of a domain user to the
local Administrators group. The role of the domain user could change, but
the role of the domain group would not. You need only change the domain
group membership. Also, this should not be done in a logon script, as most
users should not have sufficient permissions.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Lanwench [MVP - Exchange]
2009-09-29 16:07:01 UTC
Permalink
Post by alimk
Hi Everyone,
I need a VB Script for adding domain users to be a member of local
administrators group.
Thanks in Advance.
Why does it especially need to be vbscript? A simple batch file startup
script in a GPO will do this. My advice would be to set up a universal
security group called LocalAdmin in AD. Add the users you wish to it

Use this in a batch file assigned as a startup script via GPO...

net localgroup administrators DOMAIN\localadmin /add
Richard Mueller [MVP]
2009-09-29 16:43:02 UTC
Permalink
"Lanwench [MVP - Exchange]"
Post by Lanwench [MVP - Exchange]
Post by alimk
Hi Everyone,
I need a VB Script for adding domain users to be a member of local
administrators group.
Thanks in Advance.
Why does it especially need to be vbscript? A simple batch file startup
script in a GPO will do this. My advice would be to set up a universal
security group called LocalAdmin in AD. Add the users you wish to it
Use this in a batch file assigned as a startup script via GPO...
net localgroup administrators DOMAIN\localadmin /add
I would recommend that this not be done in a logon script, whether batch
file or VBScript, because normal users should not have permission and
administrator credentials should not be exposed in a logon script. Also, if
done in a logon script the task can be repeated over and over, and yet you
don't know when the task is complete for each computer. The VBScript program
has the advantage of checking first to see if the user/group needs to be
added, but unless it logs to a shared file, you still don't know when the
task is complete.

Better is to add the user or group to the local Administrators group
remotely yourself. The VBScript example I posted can be run remotely, as
long as the person is a member of the Domain Admins group, which by default
should be a member of the local Administrators group for all computers
joined to the domain. You could code a script to do this in bulk for all
computers, or computer names read from a text file.

An even better solution is to use the Restricted Groups feature of Group
Policy. Again, a domain group should be added to all local Administrators
groups, so it can be managed easily in AD. See these links for details:

http://support.microsoft.com/kb/279301

http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

http://support.microsoft.com/kb/810076
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Lanwench [MVP - Exchange]
2009-09-30 13:03:53 UTC
Permalink
Post by Richard Mueller [MVP]
"Lanwench [MVP - Exchange]"
Post by Lanwench [MVP - Exchange]
Post by alimk
Hi Everyone,
I need a VB Script for adding domain users to be a member of local
administrators group.
Thanks in Advance.
Why does it especially need to be vbscript? A simple batch file
startup script in a GPO will do this. My advice would be to set up a
universal security group called LocalAdmin in AD. Add the users you
wish to it Use this in a batch file assigned as a startup script via
GPO...
net localgroup administrators DOMAIN\localadmin /add
I would recommend that this not be done in a logon script,
Nor I - that's why I suggested a startup script. Users will never see it.
(and this wouldn't work in a login script anyway because it would run in the
user context, and require that the user have admin rights). It isn't the
most elegant solution, but it sure is simple.
Post by Richard Mueller [MVP]
whether
batch file or VBScript, because normal users should not have
permission and administrator credentials should not be exposed in a
logon script. Also, if done in a logon script the task can be
repeated over and over, and yet you don't know when the task is
complete for each computer.
Yes, true for a startup script as well, but this is such a simple thing that
it doesn't hurt anything to re-add. The only thing that will happen when you
run the command is that it will say (not visible to anyone) that the group
is already a member of the group, and move on. It takes no time at all. And
it ensures that any new PC added to the domain will get this setting.
Post by Richard Mueller [MVP]
The VBScript program has the advantage of
checking first to see if the user/group needs to be added, but unless
it logs to a shared file, you still don't know when the task is
complete.
Better is to add the user or group to the local Administrators group
remotely yourself. The VBScript example I posted can be run remotely,
as long as the person is a member of the Domain Admins group, which
by default should be a member of the local Administrators group for
all computers joined to the domain. You could code a script to do
this in bulk for all computers, or computer names read from a text
file.
An even better solution is to use the Restricted Groups feature of
Group Policy. Again, a domain group should be added to all local
Administrators groups, so it can be managed easily in AD. See these
Yes, that's a very good option. The reason I don't generally use it is that
I
sometimes want different PCs to have different local group membership.
Post by Richard Mueller [MVP]
http://support.microsoft.com/kb/279301
http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx
http://support.microsoft.com/kb/810076
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
BTW, I generally bow before your scripting prowess, you know. :-)
Loading...