Add Domain Users group to local Power Users group

TheMSsForum.com: The Microsoft Software Forum

Hi

I've absolutely no idea about scripting and have been searching the net
for scripts that add domain users / groups to local groups but haven't
found anything that works yet.

What I'm after is one that can dynamically assign the %computername%
variable inside the script so that the script works on all computers.

Additionally most of the scripts I've found add a domain user rather
than a group.

Can anybody help?
Top

Re: Add Domain Users group to local Power Users group by Richard

Richard
Mon Nov 13 10:41:15 CST 2006

dennis wrote:

> I've absolutely no idea about scripting and have been searching the net
> for scripts that add domain users / groups to local groups but haven't
> found anything that works yet.
>
> What I'm after is one that can dynamically assign the %computername%
> variable inside the script so that the script works on all computers.
>
> Additionally most of the scripts I've found add a domain user rather
> than a group.

In VBScript you must use the WinNT provider to deal with local groups. You
would bind to the local group object and invoke the Add method of the group
object. You pass the AdsPath of the new member to the method. You can
retrieve the NetBIOS name of the current computer from the wshNetwork
object. For example, a VBScript program to be run on the computer could be:
===============
Option Explicit

Dim strComputer, objNetwork

' Retrieve NetBIOS name of computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

' Bind to the domain group with the WinNT provider.
Set objDomainGrp = GetObject("WinNT://MyDomain/TestGroup,group")

' Bind to the local group with the WinNT provider.
Set objLocalGrp = GetObject("WinNT://" & strComputer & "/LocalGroup,group")

' Check if already a member.
If Not objLocalGrp.IsMember(objDomainGrp.AdsPath) Then
' Add the domain group to the local group.
objLocalGrp.Add(objDomainGrp.AdsPath)
End If
==============
A few notes. If this is run by a user during logon, they may not have
sufficient permissions. However, it could be run by as a Startup Script.
Startup scripts run with System privileges on the local computer and the
credentials of the computer account in the domain. Also, you may be able to
run such a script yourself remotely, if you have permissions. By default,
the group "Domain Admins" is made a member of the local Administrators group
when the computer is joined to the domain. If you are a member of "Domain
Admins", you should be able to run the script remotely. You could even
design a script to loop through several (or all) computers to makes sure the
domain group is a member of the local group. Finally, you can also use
Restricted Groups in Group Policy to enforce local group membership.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net


Top

Re: Add Domain Users group to local Power Users group by Richard

Richard
Mon Nov 13 10:47:34 CST 2006


"Richard Mueller" <rlmueller-NOSPAM@ameritech.NOSPAM.net> wrote in message
news:eca8KK0BHHA.4948@TK2MSFTNGP02.phx.gbl...
> dennis wrote:
>
>> I've absolutely no idea about scripting and have been searching the net
>> for scripts that add domain users / groups to local groups but haven't
>> found anything that works yet.
>>
>> What I'm after is one that can dynamically assign the %computername%
>> variable inside the script so that the script works on all computers.
>>
>> Additionally most of the scripts I've found add a domain user rather
>> than a group.
>
> In VBScript you must use the WinNT provider to deal with local groups. You
> would bind to the local group object and invoke the Add method of the
> group object. You pass the AdsPath of the new member to the method. You
> can retrieve the NetBIOS name of the current computer from the wshNetwork
> object. For example, a VBScript program to be run on the computer could
> be:
> ===============
> Option Explicit
>
> Dim strComputer, objNetwork
>
> ' Retrieve NetBIOS name of computer.
> Set objNetwork = CreateObject("Wscript.Network")
> strComputer = objNetwork.ComputerName
>
> ' Bind to the domain group with the WinNT provider.
> Set objDomainGrp = GetObject("WinNT://MyDomain/TestGroup,group")
>
> ' Bind to the local group with the WinNT provider.
> Set objLocalGrp = GetObject("WinNT://" & strComputer &
> "/LocalGroup,group")
>
> ' Check if already a member.
> If Not objLocalGrp.IsMember(objDomainGrp.AdsPath) Then
> ' Add the domain group to the local group.
> objLocalGrp.Add(objDomainGrp.AdsPath)
> End If
> ==============
> A few notes. If this is run by a user during logon, they may not have
> sufficient permissions. However, it could be run by as a Startup Script.
> Startup scripts run with System privileges on the local computer and the
> credentials of the computer account in the domain. Also, you may be able
> to run such a script yourself remotely, if you have permissions. By
> default, the group "Domain Admins" is made a member of the local
> Administrators group when the computer is joined to the domain. If you are
> a member of "Domain Admins", you should be able to run the script
> remotely. You could even design a script to loop through several (or all)
> computers to makes sure the domain group is a member of the local group.
> Finally, you can also use Restricted Groups in Group Policy to enforce
> local group membership.
>
> --
> Richard
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
>

Also, for completeness, you can do this in a batch file that runs on the
computer. I believe the command would be:

net localgroup "LocalGroup" "MyDomain\TestGroup" /add

Again, most users would probably not have permissions to do this.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net


Top