Pluto
Mon Nov 13 03:37:01 CST 2006
Hi Richard,
Thank you very very much. This will help me big time to resolve the isue I
have.
Appreciated !
Pluto
"Richard Mueller" wrote:
> Pluto wrote:
>
> > I have joined new company and my predecessor added domain users to the
> > local
> > admin group (through the GPO) on every single desktop in the domain.
> >
> > This has been discovered recently and I have to find a solution ASAP. I
> > was
> > told that the reason this has been like that is that one of the
> > applications
> > requires local admin privileges to run properly.
> >
> > I need to add individual domain user to the local admin group on each
> > workstation, ideally during logon process through netlogon. Is this
> > possible
> > at all, to add domain user into the local admin group during the netlogon
> > process. I can't have a group of users added to the local admin as they
> > don't
> > want to have somebody else being local admin on their desktop.
> >
> > I am not sure how to script this and would realy appreciate your help. If
> > I
> > can do this with the script through the netlogon I will be later on
> > remoing
> > the domain user group from the local admin group on each desktop again
> > through the GPO by unchecking that feature.
>
> This can be done, but would seem to defeat the purpose. I just need to logon
> to your computer and I acquire Admin rights. I would of course fault the
> application that requires you to compromise security. It it recommended that
> even network admins not logon with admin rights under normal circumstances.
>
> I assume you have users assigned to computers. Anyone can logon to a
> computer, but only one user is really assigned to it and should be using it.
> You want only this one user to have Admin rights. It seems to me you have to
> do this remotely. This can be done if the group Domain Admins is a member of
> the local Administrators group on every computer (and you are a member of
> this group). I would prepare a spreadsheet with the NT Name of each user
> (the sAMAccountName, also called the pre-Windows 2000 logon name) and the
> NetBIOS name of the associated computer. A VBScript program can read the
> spreadsheet and add the user to the appropriate local Administrators group.
> Assuming that the user NT name is in the first column, and the NetBIOS name
> of "their" computer is in the second, and assuming the first row of the
> spreadsheet should be skipped (column headings), the script could be similar
> to:
> =============
> Option Explicit
>
> Dim strExcelPath, objExcel, objSheet, intRow
> Dim strComputer, strNTName, objAdmGroup, strDomain
> Dim objUser
>
> ' Specify the NetBIOS name of the domain.
> strDomain = "MyDomain"
>
> ' Specify Excel spreadsheet.
> strExcelPath = "c:\MyScripts\UserList.xls"
>
> ' Bind to Excel object.
> Set objExcel = CreateObject("Excel.Application")
>
> ' Open spreadsheet.
> objExcel.Workbooks.Open strExcelPath
>
> ' Bind to worksheet.
> Set objSheet = objExcel.ActiveWorkbook.Worksheets(1)
>
> ' Read rows of spreadsheet, except the first, until blank encountered.
> ' intRow is the row number of the spreadsheet.
> intRow = 2
> Do While objSheet.Cells(intRow, 1).Value <> ""
> ' Retrieve NT name (pre-Windows 2000 logon name) of user.
> strNTName = Trim(objSheet.Cells(intRow, 1).Value)
> ' Bind to domain user object with the WinNT provider.
> ' Trap error if object not found.
> On Error Resume Next
> Set objUser = GetObject("WinNT://" & strDomain _
> & "/" & strNTName & ",user")
> If (Err.Number <> 0) Then
> On Error GoTo 0
> Wscript.Echo "User " & strNTName & " not found."
> Else
> On Error GoTo 0
> ' Retrieve NetBIOS name of computer for this user.
> strComputer = Trim(objSheet.Cells(intRow, 2).Value)
> ' Bind to local Administrators group on the computer.
> ' Trap error if object not found.
> On Error Resume Next
> Set objAdmGroup = GetObject("WinNT://" & strComputer _
> & "/Administrators,group")
> If (Err.Number <> 0) Then
> On Error GoTo 0
> Wscript.Echo "Computer " & strComputer & " not found."
> Else
> On Error GoTo 0
> ' Check if user already a member.
> If Not objAdmGroup.IsMember(objUser.AdsPath) Then
> ' Add the user to the local Administrators group.
> objAdmGroup.Add(objUser.AdsPath)
> End If
> End If
> End If
> intRow = intRow + 1
> Loop
>
> ' Close the workbook.
> objExcel.ActiveWorkbook.Close
>
> ' Quit Excel.
> objExcel.Application.Quit
>
> ' Clean up.
> Set objUser = Nothing
> Set objAdmGroup = Nothing
> Set objExcel = Nothing
> Set objSheet = Nothing
>
> Wscript.Echo "Done"
> ========
> If a computer is not available (turned off, for example), an error will be
> raised when the script attempts to bind to it. The program outputs the
> computer name. You may need to repeat the script to get all computers. The
> program only adds the user to the group if they are not already a member.
> --
> Richard
> Microsoft MVP Scripting and ADSI
> Hilltop Lab -
http://www.rlmueller.net
>
>
>