Command line utility to remotely grant local admin to specific domain users

We have around 200 PCs. Almost all running W2K. Some still NT 4.0 sp 6
For a reason which is too long to explain here, we need on each of these PCs to add a specific user say U1 from a specific trusted domain says D1 (this is not the domain's PC) in the local administrators group of the PC.
"Manually" it is not very difficult to do, running tool like usrmgr.exe, selecting the PC etc etc... and doing that remotetly of course.
But you imagine ? 200 PCs to do !
I was thinking of doing it still remotely but with a command line utility where I could specify the machine name etc...
I know some tools that works but NOT remotely, locally. Placing this in the login script was a first idea, but only few people are themselves local admin so the tool will not work...
Any idea ?
LVL 1
LeTayAsked:
Who is Participating?
 
oBdACommented:
Well, cusrmgr.exe is a W2k tool that works as well in NT4, so it shouldn't have a problem with a W2k domain.
Anyway, you can give addusers.exe, from the Resource Kit as well, a try. This is the same script as above, slightly changed to use addusers.
It creates a temporary file consisting of two lines (as in cusrmgr.exe, U1 can be a global group as well):

[local]
Administrators,,D1\U1

If you want to try it manually, create a text file like the one above, and feed it to addusers:
addusers.exe \\Machine /c "Y:\our\FileName.txt"

addusers doesn't set an errorlevel, so the output is parsed instead.
The logfile format is changed a bit as well, it now adds the fail reason ("ping" or "addusers"), separated by a ",", after the machine name. Accordingly, the input list can now contain ","-separated entries after the machine name as well ...

====8<----[NewAdmin.cmd]----
@echo off
setlocal
set AddDomain=D1
set AddUser=U1
set AddGroup=Administrators
set FailList=%~dpn0.log
set ListFile=
set TempFile=%~dpn0.tmp

if %1.==. goto leave

:: *** Create a temporary file for addusers.exe
>"%TempFile%"  echo [Local]
>>"%TempFile%" echo %AddGroup%,,%AddDomain%\%AddUser%

if /i not %1.==/L. goto process
if %2.==. goto leave
set ListFile=%~2
if not exist "%ListFile%" goto leave
if exist "%FailList%" del "%FailList%"
for /f "tokens=1 delims=, " %%a in ('type "%ListFile%"') do call :process %%a
goto leave

:process
set Machine=%1
echo Processing %Machine% ...
ping -n 1 %Machine% | find "TTL" >NUL
if errorlevel 1 goto :NoResponse
:: *** Test mode: remove the "ECHO" in fron of the next line to "arm" the script:
ECHO addusers \\%Machine% /c "%TempFile%" | find "Error adding user" >NUL
if not errorlevel 1 goto :NoAdd
echo ... done.
goto :eof

:NoResponse
echo ... not responding!
if not "%ListFile%"=="" (echo %Machine%,ping)>>"%FailList%"
goto :eof

:NoAdd
echo ... couldn't add %AddDomain%\%AddUser% to %Machine%\%AddGroup%
if not "%ListFile%"=="" (echo %Machine%,addusers)>>"%FailList%"
goto :eof

:leave
if exist "%TempFile%" del "%TempFile%"
====8<----[NewAdmin.cmd]----
0
 
oBdACommented:
You'll need cusrmgr.exe from the W2k Resource Kit (you have the Resource Kit, don't you ;).
Then test this script; it accepts either a machine name to process as single argument, or /L as the first argument and a file name with a list of machines (one machine per line) to process. If run with a list, it will create a logfile (same name as batch file, with the extension ".log") with machine names that weren't running.
As usual: No warranties included, test it before you apply it in earnest, use it at your own risk ...

====8<----[NewAdmin.cmd]----
@echo off
setlocal
set AddDomain=D1
set AddAdmin=U1
set AddGroup=Administrators
set FailList=%~dpn0.log
set ListFile=

if %1.==. goto leave

if /i not %1.==/L. goto process
if %2.==. goto leave
set ListFile=%~2
if not exist "%ListFile%" goto leave
if exist "%FailList%" del "%FailList%"
for /f %%a in ('type "%ListFile%"') do call :process %%a
goto leave

:process
set Machine=%1
echo Processing %Machine% ...
ping -n 1 %Machine% | find "TTL" >NUL
if errorlevel 1 goto :NoResponse
:: *** Test mode: remove the "ECHO" in fron of the next line to "arm" the script:
ECHO cusrmgr -u %AddDomain%\%AddAdmin% -m \\%Machine% -alg "%AddGroup%"
echo ... done.
goto :eof

:NoResponse
echo ... not responding
if not "%ListFile%"=="" (echo %Machine%)>>"%FailList%"
goto :eof

:leave
====8<----[NewAdmin.cmd]----
0
 
Justin CAWS Solutions ArchitectCommented:
This isn't exactly an answer, but I'd suggest adding a domain group to the local admin group of all your systems instead of a specific user account.  This way, when you want to remove this user or the next time you want to add a user to the local admin group of your systems, you simply modify the membership of the domain group.  
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
LeTayAuthor Commented:
BloodRed,
There is 'fortunately' already a global domain group as member of the local admin group on all these machines.
But the problem here is that the specific user that should be member of this global group is from another trusted domain and so can't be added to the global group of the other domain.
Now as you suggest, we should add a global domain group of that OTHER domain to local admin of all PCs.
But adding that group or a specific user is just my question : how to automate that from remote ?
I will have a look at the tool suggested by oBdA...
0
 
LeTayAuthor Commented:
oBdA,
I tried cusrmgr and it works fine but I still have a technical issue.
Remember, the PCs domain I was speaking about is not the same as the specific user I need to add to local admins (says user to add is U from the other domain D)
So, I issued :
cusrmgr -u D\U -m \\MachineName -alg Administrators
I got the error message :  Adding D\U to administrators can't find PDC of D
Now I am not sure : does this mean that I really can't see a PDC for that domain D, or that there is a trust mssing between the domains ???
0
 
oBdACommented:
Well, you said that the trust is setup; it works obviously, or you wouldn't be able to add the user using the GUI either.
There are several possibilities to try:
Are those domains W2k or NT4? If the former, you can try to specify the user in the "user@the.other.domain" format (provided you have DNS lookup for the other domain).
And/or you can try to enter the PDC and domain name of the other domain in the lmhosts file:
How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues
http://support.microsoft.com/?kbid=180094
If this fails, we can give usrtogrp.exe (from the Resource Kit as well) a try, provided the account name form the other domain doesn't exist in your "regular" domain.
If this fails, too, there's always the "last resort" "remote execution" with at.exe or psexec, but let's try cusrmgr first.
0
 
LeTayAuthor Commented:
oBdA,
I think "we" are close to the solution (and the 500 points for you !)
When trying the cusrmgr on the server from where it will finally run, the message was the same. However, on that same server (NT 4), running the GUI for user management, I tried to add to a local group -> locate the domain in question -> got the list of users and groups -> so okay with the GUI
I will test you second idea (LMHOSTS) as soon as I get the other PDC information.
ps : by the way, it is not a user to be added, but a global group from the other domain. But this does not change anything with the problem...
0
 
LeTayAuthor Commented:
oBdA,
Unfortunately, the setup in the lmhosts does not fix the problem.
cusrmgr still returns ...can't find PDC for D (D is the trusted domain).
I did follow Microsoft KB article 180094 to setup the lmhosts correctly.
What looks extremely curious for me is that on the same machine (in this case a NT 4 server) when I run the GUI usrmgr.exe, I can do exactly the same action (add a group G from the trusted domain D to another up and running PC) in the same context (logged as domain admin) without any problem.
So the cusrmgr behavior is somewhere different. Uses other API or ???
0
 
LeTayAuthor Commented:
oBdA,
Last minute information !
The 'other' domain, D in my example is on W2K.
So PDC or PDC is DC only and my test with lmhosts including the real PDC is now obsolete.
I think that there is a kind of incompatibility in the cusrmgr.exe in this W2K environment...
I need most probably to find another tool than cusrmgr.exe
Your opinion ?
0
 
LeTayAuthor Commented:
oBdA,
Thanks for the addusers.exe
It works fine !
You get the points
ps : this means that the cusrmgr.exe is somewhere buggy...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.