Script to add the currently logged in user as administrator

A 'normal' usre cannot make themselves an administrator by running a script. This is for obvious reasons. Any script that adds a user to the administrator's group would need to be executed under the permissions of an administrator of that machine.

Well, you could use the 'runas' command to execute the script as an administrator account.

The downside with runas is that you cannot specify the password on the command line. Thus, if you're stuck typing in the administrator password each time, you may as well just give the user the admin password to begin with.

Hi Sharath,

A complication is that the Startup script does not know who the user will
be. The Startup script should add a domain group to the local Administrators
group, and then all the desired users can be made members of this domain
group. You can use the group "Domain Users" if you want everyone included.
Note that a normal user cannot add themselves to any group, so a logon
script would never work. A Startup script for computers runs with System privileges so it
can add users to local groups. A sample VBScript Startup script follows,
where I add the domain group "MyGroup" to the local Administrators group:

====================
Option Explicit

Dim strDomain, objNetwork, strComputer
Dim objLocalGroup, objDomainGroup

' Specify the NetBIOS name of the domain.
strDomain = "MyDomain"

' Retrieve NetBIOS name of local computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

' Bind to local Administrators group.
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")

' Bind to domain group.
Set objDomainGroup = GetObject("WinNT://" & strDomain & "/MyGroup,group")

' Check if the domain group is already a member of the local group.
If Not objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
' Add the domain group to the local group.
objLocalGroup.Add(objDomainGroup.AdsPath)
End If

' Clean up.
Set objNetwork = Nothing
Set objLocalGroup = Nothing
Set objDomainGroup = Nothing

Is there a way that i have a script in the \\machinename\foldername.
I can use the admin credentials to login there as i have many more scripts i need to execute from the UNC path so it would easy for me to add.

As you say Chandru a logon script would be dangerous any user can login any machine and get full access.So is there a way that i go to a UNC path and run the script.I dont mind having the username and password in the script later i could encrypt the vbs file.
So that no one can see the credentials.

Sharath,

You need to apply this script using computer startup script with a group created in your domain. So if you add a user he will be administrator of all the machines. Is that you want?

Say i have just got a new machine formatted and ready to be alloted to a new joiner.Is there a way that when the user loggs in and runs the script only then the logged in user has to be added to the Administrator group

Sharath, would you be happy to run this from your machine, with admin credentials, against the remote machine?  If so, try this code:

'===================
Set wshNetwork = WScript.CreateObject( "WScript.Network" )
strUserDomain = wshNetwork.UserDomain

strUserComputer = InputBox("Please enter an IP Address or computer name:", _
    "Add logged on user to local Administrators group","172.16.2.64")

If IsEmpty(strUserComputer) = True Then Wscript.Quit

Set objWMIService = GetObject("winmgmts:" _
      & "{impersonationLevel=impersonate}!\\" & strUserComputer & "\root\cimv2")
Set colComputer = objWMIService.ExecQuery _
      ("Select * from Win32_ComputerSystem")
      
For Each objComputer in colComputer
      strUserName = objComputer.UserName
Next

If InStr(strUserName, "\") > 0 Then strUserName = Mid(strUserName, InStrRev(strUserName, "\") + 1)

Set objAdmins = GetObject("WinNT://" & strUserComputer & "/Administrators")
Set objWinntUser = GetObject("WinNT://" & strUserDomain & "/" & strUserName)

strGroupToCheck = "Administrators"

If IsMemberOfGroup(strUserComputer, objWinntUser, strGroupToCheck) = False Then
      objAdmins.Add(objWinntUser.ADsPath)
      MsgBox strUserDomain & "/" & strUserName & " was added to the " & strGroupToCheck & " group."
Else
      MsgBox strUserDomain & "/" & strUserName & " is already a member of the " & strGroupToCheck & " group."
End If


Function IsMemberOfGroup(strUserDomain, objUser, strGroup) 'the user is a member of a specified group
      IsMemberOfGroup = False
      Dim objGroup
      On Error Resume Next
      Set objGroup = GetObject("WinNT://" & strUserDomain & "/" & strGroup & ",group")
      If Err.Number Then
            IsMemberOfGroup = "Error"
      Else
            IsMemberOfGroup = objGroup.IsMember(objUser.ADsPath)
            'MsgBox objUser.ADsPath
      End If
End Function
'===================

Regards,

Rob.

Rob any other option that i can run from the machine i am logged in which does not have admin access.
If required we can have the Credentials in the script or use run as to execute the script.

Rob GM....

Should i save this file on the remote machine and Run it.
I tried saving the file on the remote machine and changing the psexec.exe path
entered the admin user name and password.
When i run from a machine that does not have access i just get a box and it does not add...

Yes, this script must be run directly from the remote machine, from the user account that is required to be added to the group.

>> When i run from a machine that does not have access i just get a box and it does not add...

By this I take it you mean they don't have access to PSExec? Is that right?

Regards,

Rob.

Rob...
When i log in to a freash newly installed machine with the new joiners credentials.
When i access the UNC path i need to enter a username and password.
After which when i double click on the script i just get a box but does not add the user to the group...

So the computer isn't joined to the domain yet?  Then are they logging in with a local user account, or a domain user account?

The computers are joined to the Domain and i use the new users credentials to log in to the machine. As he is not the Administrator of the machine we need to use the admin credentials to access the share where the script is resided.

Can you give read only access to that share for everyone and try Rob's script?

Chandru...
Everyone has full access to the folder...

Sharath..

"As he is not the Administrator of the machine we need to use the admin credentials to access the share where the script is resided."

Can you explain the above?

Chandru i have this script on a server and when i give the machine name.Then this works great it adds the logged in user as administrator.But what i wanted is from the client machine when i access the script which is on the remote machine i need to be able to give permissions to the logged in machine...

As the client machine does not have admin permissions .So when i access the shared folder on the remote machine where the vbs file is there i need to use admin credentials to access it...

Can you please explain a bit more as i am confused?

Sharath,
Just a quick question. Do you have a script to display the user AD attribute and Exchange attribute?

>>Do you have a script to display the user AD attribute and Exchange attribute?
Sorry did not get you can you explain...

About my requirement...
As i have logged in a machine newly formatted machine .I have logged in with the newly created username.So i will not have any permission on the machine or the network.
So the script is in this path "\\machinename\sharename\filename.vbs"
So when i go to Run and put in the path it ask me the username and password .I give the Domain\administrator credentials to access the share.
Now when i double click the vbs file nothing happens.What i want is it need to add the logged in user to administrator group.
Hope this is clear...

I was sending that message to some one else. Sorry..........?

ok no problem...

Can you keep the same script in the netlogon share and try running the script as all users will have (even the new users) read access?

I tried this and it works

Shall try... And help on the Excel user creation....

I haven't tried that.... I know you are very much in need. I will work on installing exchange server in a test lab and test it tomorrow and post the code

Rob GM...

Any help...

Sharath, as Chandru has suggested, on a non-domain machine, can you access a DC's NetLogon share, or is that denied as well?  If it is, then we can combine a previous script of mine that adds credentials for a resource, before accessing the file....

Regards,

Rob.

Rob ...Non Domain?
I want to give permissions to only computers who are in the Domain with the logged in user.

I am able to access the share with the credentials it asks before letting me to the share.
Later no error message...
The other script that you gave me to remotely add a logged in user as administrator works fine...

Oh, OK.  So you are able to get access to the share where the script is.  Is PSExec in the same folder, and have you updated the PSExecPath in the script to point to that?

So when you click it it does nothing?  Try putting a MsgBox at the bottom and see if that pops up.

Regards,

Rob.

Sorry to get back with an issue with this script.

Yes all the files are in 1 folder,  I am able to access the folder from the remote machine and ven changed the Psexec path and even put the username and password...But does not add the logged in user as Administrator.

I get this box..

---------------------------

---------------------------
cmd /c \\indiasophos\ps\psexec.exe -accepteula -e -i -u development\admini -p password \\DEV-CHEN-PC1730 wscript \\indiasophos\ps\ADDTOA~1.VBS AsAdmin DEVELOPMENT\LETest
---------------------------
OK  
---------------------------

Then Get a OK button
But does not add

The same script works fine on my machine, the only difference is that I haven't tried it from a computer not on the domain.  This is what I get:

---------------------------

---------------------------
cmd /c \\server\share\psexec.exe -accepteula -e -i -u domain\admin -p password \\MYLOCALPC wscript \\server\share\ADDTOA~1.VBS AsAdmin MYDOMAIN\RSampson
---------------------------
OK  
---------------------------

Then I get this:
---------------------------

---------------------------
WinNT://MYDOMAIN/RSampson
---------------------------
OK  
---------------------------


Then this:
---------------------------

---------------------------
MYDOMAIN/RSampson is already a member of the Administrator's group
---------------------------
OK  
---------------------------


Having said that though, I just realised that for this to work, the same username and password that you specify in the script MUST have admin rights over the target PC.......

Regards,

Rob.

Yes Rob the credentials that i mention has rights every whee as it is the Domain administrator credentials

When i try to run the script on a machine that already has permissions i get all the popups as you mentioned.
To confirm again i am running the scripts that has been already added to the Domain.
The machine is in the Domain
When access the shared folder where these files are there it opens and just pops the 2 boxes that i mentioned above the second one is "Done"

That's really, really strange.  The script does not offer any MsgBox that says "Done" anywhere in it.  The only thing that I can think of is that it is not re-calling the correct script.

Can you try:
1) If you rename the VBS file to only eight character, eg: Add2Admn.vbs, and then run, does it work?
2) If you connect to that share, then copy the script, and PSExec locally, and change the PSExec path within script to
strPSExecPath = Replace(WScript.ScriptFullPath, WScript.ScriptPath, "") & "PSExec.exe"

and see if works locally....

Regards,

Rob.

I get the Done box as you told me to add the Msgbox to the end...

I copyed the script and psexec file to another machine and changed the line as suggested.

I get this.
---------------------------
Windows Script Host
---------------------------
Script:      C:\Add.vbs
Line:      6
Char:      1
Error:      Object doesn't support this property or method: 'WScript.ScriptFullPath'
Code:      800A01B6
Source:       Microsoft VBScript runtime error

---------------------------
OK  
---------------------------

Oh yeah, sorry about that, yes I did ask you to put that at the end.....

Sorry, should be:
strPSExecPath = Replace(WScript.ScriptFullPath, WScript.ScriptPath, "") & "PSExec.exe"

Is there an On Error Resume Next in the script?  If so, please remove it.  If not, then maybe it's not running the PSExec properly, so change
strCommand = "cmd /c " ......
so the "c" becomes a "k"
strCommand = "cmd /k " .......

and change
objShell.Run strCommand, 0, False
to
objShell.Run strCommand, 1, False

and see what the box says....

Regards,

Rob.

Rob i did all the changed and when i run it .I get this error.

'\\indiasophos\Ps'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported.  Defaulting to Windows directory.

PsExec v1.85 - Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - www.sysinternals.com


PsExec could not start wscript on DEV-CHEN-MRD100:
Logon failure: the user has not been granted the requested logon type at this computer.

I am using the Domain credentials only...

Here is the full code....

'===================
Set wshNetwork = WScript.CreateObject( "WScript.Network" )
strUserName = wshNetwork.UserName
strUserDomain = wshNetwork.UserDomain

strPSExecPath = "\\indiasophos\ps\psexec.exe"
strAdminUser = "development\administrator"
strAdminPass = "password"

'strUserComputer = InputBox("Please enter an IP Address or computer name:", _
'    "Add logged on user to local Administrators group","172.16.2.64")

'If IsEmpty(strUserComputer) = True Then Wscript.Quit

strUserComputer = "."

If WScript.Arguments.Count = 0 Then
      Normal_User strUserDomain & "\" & strUserName, strPSExecPath, strAdminUser, strAdminPass
ElseIf WScript.Arguments.Item(0) = "AsAdmin" Then
      Admin_User strUserComputer, WScript.Arguments.Item(1)
Else
      WScript.Echo "Unknown arguments recieved."
End If

Sub Normal_User(strUser, strPSExec, strAdmin, strPass)

      Set objFSO = CreateObject("Scripting.FileSystemObject")
      strPSExec = objFSO.GetFile(strPSExec).ShortPath
      strCommand = "cmd /k " & strPSExec & " -accepteula -e -i -u " & strAdmin & " -p " & strPass & " \\" & wshNetwork.ComputerName & " wscript " & objFSO.GetFile(WScript.ScriptFullName).ShortPath & " AsAdmin " & strUser
      MsgBox strCommand
      Set objShell = CreateObject("WScript.Shell")
      objShell.Run strCommand, 1, False
     
End Sub

Sub Admin_User(strComputer, strUser)
      strUserName = Mid(strUser, InStrRev(strUser, "\") + 1)
      strDomain = Left(strUser, InStr(strUser, "\") - 1)
     
      Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
      MsgBox "WinNT://" & strDomain & "/" & strUserName
      Set objWinntUser = GetObject("WinNT://" & strDomain & "/" & strUserName)
     
      strGroupToCheck = "Administrators"
     
      If IsMemberOfGroup(strComputer, objWinntUser, strGroupToCheck) = False Then
            objAdmins.Add(objWinntUser.ADsPath)
            MsgBox strDomain & "/" & strUserName & " was added to the " & strGroupToCheck & " group."
      Else
            MsgBox strDomain & "/" & strUserName & " is already a member of the " & strGroupToCheck & " group."
      End If
End Sub

Function IsMemberOfGroup(strUserDomain, objUser, strGroup) 'the user is a member of a specified group
      IsMemberOfGroup = False
      Dim objGroup
      'On Error Resume Next
      Set objGroup = GetObject("WinNT://" & strUserDomain & "/" & strGroup & ",group")
      If Err.Number Then
            IsMemberOfGroup = "Error"
      Else
            IsMemberOfGroup = objGroup.IsMember(objUser.ADsPath)
            'MsgBox objUser.ADsPath
      End If
End Function
MsgBox "Done"
'===================

OK, this is your problem....
>> Logon failure: the user has not been granted the requested logon type at this computer.

So I take it DEV-CHEN-MRD100 is the local machine you are running the script from....

Did you try copying it locally?  It doesn't seem like it did, since it has
>> UNC paths are not supported

See if this helps:
https://www.experts-exchange.com/questions/21072962/Logon-Failure-The-user-has-not-been-granted-the-requested-logon-type-at-this-computer.html

Regards,

Rob.

Rob i copied the script to the local machine and changed this path

strPSExecPath = "c:\psexec.exe"
And when i run also get the same message...

Are you sure it is joined to the domain, and that Domain Admins are in your local Administrators group?

As a long shot, go into Windows Explorer, click Tools --> Folder Options --> View Tab --> scroll to the bottom, and untick Use Simple File Sharing

Regards,

Rob.

Or try removing the -i switch from the PSExec command....

i am running this on windows 2003.I cant see file print and sharing in there
I have tried removing the -i but still same error.
When i run it on the machine where the script is i used to get the administrator is already a member but now its just reading.....

OK, go back to the script you accepted as an answer, but change
strCommand = "cmd /c " ......
so the "c" becomes a "k"
strCommand = "cmd /k " .......

and change
objShell.Run strCommand, 0, False
to
objShell.Run strCommand, 1, False

Then, on the local machine, click Start --> Run --> GPEdit.msc and click OK.

Check that the policy
Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment --> Access this computer from the network
has the correct Administrators group (that includes the credentials you're using)

Also check that the policy
Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment --> Log on Locally
has the correct Administrators group (that includes the credentials you're using)

And possibly even
Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment --> Log on as a Service

as well.

Regards,

Rob.

Rob i did all as you said...There was administrtors group in there i have also added Domain\administrator in it also.

I get this...

'\\indiasophos\Ps'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported.  Defaulting to Windows directory.

PsExec v1.85 - Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

PsExec could not start wscript on DEV-CHEN-MRD100:
Logon failure: the user has not been granted the requested logon type at this computer.

Rob i tested on some of the other machines...
It says access denied in the cmd prompt..

On the PSexec line, please try adding the
-s
switch before the
-e
switch, so it reads
strCommand = "cmd /c " & strPSExec & " -accepteula -s -e -i -u " & strAdmin & " -p " & strPass & " \\" & wshNetwork.ComputerName & " wscript " & objFSO.GetFile(WScript.ScriptFullName).ShortPath & " AsAdmin " & strUser:

Regards,

Rob.

Thanks a lot Rob...Now it works ...You are a Genius.....

I think the "-s" was the problem...What do you think....

Rob i tested in many more machines and i get this...
'\\dev-chen-mrd100\Ps'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported.  Defaulting to Windows directory.

PsExec v1.85 - Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

Could not start PsExec service on DEV-CHEN-PC930:
Access is denied.

Hmmm, the -s runs under the System account.....I'm not sure....there seems to be conflicting security issues on your PCs when they are joined to the domain, maybe?

On one of these computers that still has a problem, if you use the first script I gave you that you run from *your* PC against the remote one.....does it work, or still have an error?

Regards,

Rob.

Yes that script works great...I have already started to use it and i have added 45 users to the administrator group remotely...

OK then, that gives us the ability to go to a client machine, browse to the UNC path, then run this script, which will execute the script again *from* the server with admin credentials, effectively copying what do you from your machine.....

'===================
Set wshNetwork = WScript.CreateObject( "WScript.Network" )
strComputerName = wshNetwork.ComputerName
strUserName = wshNetwork.UserName
strUserDomain = wshNetwork.UserDomain

strPSExecPath = "\\indiasophos\ps\psexec.exe"
strAdminUser = "development\administrator"
strAdminPass = "password"

strServer = Mid(Right(strPSExecPath, Len(strPSExecPath) - 2), 1, InStr(Right(strPSExecPath, Len(strPSExecPath) - 2), "\") - 1)

'strUserComputer = InputBox("Please enter an IP Address or computer name:", _
'    "Add logged on user to local Administrators group","172.16.2.64")

'If IsEmpty(strUserComputer) = True Then Wscript.Quit

strUserComputer = "."

If WScript.Arguments.Count = 0 Then
      Normal_User strUserDomain & "\" & strUserName, strPSExecPath, strAdminUser, strAdminPass
ElseIf WScript.Arguments.Item(0) = "AsAdmin" Then
      Admin_User WScript.Arguments.Item(2), WScript.Arguments.Item(1)
Else
      WScript.Echo "Unknown arguments recieved."
End If

Sub Normal_User(strUser, strPSExec, strAdmin, strPass)

      Set objFSO = CreateObject("Scripting.FileSystemObject")
      strPSExec = objFSO.GetFile(strPSExec).ShortPath
      strCommand = "cmd /k " & strPSExec & " -accepteula -e -u " & strAdmin & " -p " & strPass & " \\" & strServer & " wscript " & objFSO.GetFile(WScript.ScriptFullName).ShortPath & " AsAdmin " & strUser & " " & strComputerName
      InputBox "Prompt", "Title", strCommand
      Set objShell = CreateObject("WScript.Shell")
      objShell.Run strCommand, 1, False
     
End Sub

Sub Admin_User(strComputer, strUser)
      strUserName = Mid(strUser, InStrRev(strUser, "\") + 1)
      strDomain = Left(strUser, InStr(strUser, "\") - 1)
     
      Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
      'MsgBox "WinNT://" & strDomain & "/" & strUserName
      Set objWinntUser = GetObject("WinNT://" & strDomain & "/" & strUserName)
     
      strGroupToCheck = "Administrators"
     
      If IsMemberOfGroup(strComputer, objWinntUser, strGroupToCheck) = False Then
            objAdmins.Add(objWinntUser.ADsPath)
            'MsgBox strDomain & "/" & strUserName & " was added to the " & strGroupToCheck & " group."
      Else
            'MsgBox strDomain & "/" & strUserName & " is already a member of the " & strGroupToCheck & " group."
      End If
End Sub

Function IsMemberOfGroup(strUserDomain, objUser, strGroup) 'the user is a member of a specified group
      IsMemberOfGroup = False
      Dim objGroup
      'On Error Resume Next
      Set objGroup = GetObject("WinNT://" & strUserDomain & "/" & strGroup & ",group")
      If Err.Number Then
            IsMemberOfGroup = "Error"
      Else
            IsMemberOfGroup = objGroup.IsMember(objUser.ADsPath)
            'MsgBox objUser.ADsPath
      End If
End Function
'===================

Regards,

Rob.

Rob i get this....

cmd /k \\indiasophos\ps\psexec.exe -accepteula -e -u development\administrator -p password \\indiasophos wscript \\indiasophos\ps\Add.vbs AsAdmin DEVELOPMENT\fsuser DEV-CHEN-PC1100

Get this error on cmd prompt....

'\\indiasophos\Ps'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported.  Defaulting to Windows directory.

PsExec v1.85 - Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - www.sysinternals.com

Couldn't access indiasophos:
Access is denied.

Hmmm, odd.....Couldn't access indiasophos

OK, from that same machine that you ran this last command, can you browse to
\\indiasophos\ps

Regards,

Rob.

Yes...

Really?  Can you try
cmd /k \\indiasophos\ps\psexec.exe -accepteula -e -u development\administrator -p password \\indiasophos wscript \\indiasophos\ps\Add.vbs AsAdmin DEVELOPMENT\fsuser DEV-CHEN-PC1100

again, from DEV-CHEN-PC1100

If that doesn't work, can you try running the following from INDIASOPHOS *while* logged in as the administrator?
cmd /k wscript \\indiasophos\ps\Add.vbs AsAdmin DEVELOPMENT\fsuser DEV-CHEN-PC1100


Regards,

Rob.

I get this...

C:\Documents and Settings\Administrator.DEVELOPMENT>cmd /k \\indiasophos\ps\psex
ec.exe -accepteula -e -u development\administrator -p password \\indiasophos wsc
ript \\indiasophos\ps\Add.vbs AsAdmin DEVELOPMENT\fsuser DEV-CHEN-PC1100

PsExec v1.85 - Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - www.sysinternals.com


wscript exited on indiasophos with error code 0.


For the secound one i get no results or errors...

Right, if that exited with error code 0, that means there was no error.....did the script work then?

Is that user now an Admin of that machine?

Rob.

Yes Rob just checked in Dev-chen-pc1100 Fsuser is become a administrator of that machine.

Right, so now the script is working.....I wonder what changed......

Can i have the whole script Rob with all those changes...

I don't know which code you are running.....the last full lot of code I gave you is at comment with ID 20091290.  As far as I know, we haven't changed the functionality of the script.....

And by the way, I really have a feeling there were security issues here....maybe something hadn't replicated for a day or two....

Regards,

Rob.