Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Command line utility to remotely grant local admin to specific domain users

Posted on 2003-11-14
10
Medium Priority
?
3,998 Views
Last Modified: 2012-08-13
We have around 200 PCs. Almost all running W2K. Some still NT 4.0 sp 6
For a reason which is too long to explain here, we need on each of these PCs to add a specific user say U1 from a specific trusted domain says D1 (this is not the domain's PC) in the local administrators group of the PC.
"Manually" it is not very difficult to do, running tool like usrmgr.exe, selecting the PC etc etc... and doing that remotetly of course.
But you imagine ? 200 PCs to do !
I was thinking of doing it still remotely but with a command line utility where I could specify the machine name etc...
I know some tools that works but NOT remotely, locally. Placing this in the login script was a first idea, but only few people are themselves local admin so the tool will not work...
Any idea ?
0
Comment
Question by:LeTay
  • 6
  • 3
10 Comments
 
LVL 85

Expert Comment

by:oBdA
ID: 9750160
You'll need cusrmgr.exe from the W2k Resource Kit (you have the Resource Kit, don't you ;).
Then test this script; it accepts either a machine name to process as single argument, or /L as the first argument and a file name with a list of machines (one machine per line) to process. If run with a list, it will create a logfile (same name as batch file, with the extension ".log") with machine names that weren't running.
As usual: No warranties included, test it before you apply it in earnest, use it at your own risk ...

====8<----[NewAdmin.cmd]----
@echo off
setlocal
set AddDomain=D1
set AddAdmin=U1
set AddGroup=Administrators
set FailList=%~dpn0.log
set ListFile=

if %1.==. goto leave

if /i not %1.==/L. goto process
if %2.==. goto leave
set ListFile=%~2
if not exist "%ListFile%" goto leave
if exist "%FailList%" del "%FailList%"
for /f %%a in ('type "%ListFile%"') do call :process %%a
goto leave

:process
set Machine=%1
echo Processing %Machine% ...
ping -n 1 %Machine% | find "TTL" >NUL
if errorlevel 1 goto :NoResponse
:: *** Test mode: remove the "ECHO" in fron of the next line to "arm" the script:
ECHO cusrmgr -u %AddDomain%\%AddAdmin% -m \\%Machine% -alg "%AddGroup%"
echo ... done.
goto :eof

:NoResponse
echo ... not responding
if not "%ListFile%"=="" (echo %Machine%)>>"%FailList%"
goto :eof

:leave
====8<----[NewAdmin.cmd]----
0
 
LVL 10

Expert Comment

by:Justin C
ID: 9750172
This isn't exactly an answer, but I'd suggest adding a domain group to the local admin group of all your systems instead of a specific user account.  This way, when you want to remove this user or the next time you want to add a user to the local admin group of your systems, you simply modify the membership of the domain group.  
0
 

Author Comment

by:LeTay
ID: 9762372
BloodRed,
There is 'fortunately' already a global domain group as member of the local admin group on all these machines.
But the problem here is that the specific user that should be member of this global group is from another trusted domain and so can't be added to the global group of the other domain.
Now as you suggest, we should add a global domain group of that OTHER domain to local admin of all PCs.
But adding that group or a specific user is just my question : how to automate that from remote ?
I will have a look at the tool suggested by oBdA...
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 

Author Comment

by:LeTay
ID: 9763068
oBdA,
I tried cusrmgr and it works fine but I still have a technical issue.
Remember, the PCs domain I was speaking about is not the same as the specific user I need to add to local admins (says user to add is U from the other domain D)
So, I issued :
cusrmgr -u D\U -m \\MachineName -alg Administrators
I got the error message :  Adding D\U to administrators can't find PDC of D
Now I am not sure : does this mean that I really can't see a PDC for that domain D, or that there is a trust mssing between the domains ???
0
 
LVL 85

Expert Comment

by:oBdA
ID: 9763436
Well, you said that the trust is setup; it works obviously, or you wouldn't be able to add the user using the GUI either.
There are several possibilities to try:
Are those domains W2k or NT4? If the former, you can try to specify the user in the "user@the.other.domain" format (provided you have DNS lookup for the other domain).
And/or you can try to enter the PDC and domain name of the other domain in the lmhosts file:
How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues
http://support.microsoft.com/?kbid=180094
If this fails, we can give usrtogrp.exe (from the Resource Kit as well) a try, provided the account name form the other domain doesn't exist in your "regular" domain.
If this fails, too, there's always the "last resort" "remote execution" with at.exe or psexec, but let's try cusrmgr first.
0
 

Author Comment

by:LeTay
ID: 9764615
oBdA,
I think "we" are close to the solution (and the 500 points for you !)
When trying the cusrmgr on the server from where it will finally run, the message was the same. However, on that same server (NT 4), running the GUI for user management, I tried to add to a local group -> locate the domain in question -> got the list of users and groups -> so okay with the GUI
I will test you second idea (LMHOSTS) as soon as I get the other PDC information.
ps : by the way, it is not a user to be added, but a global group from the other domain. But this does not change anything with the problem...
0
 

Author Comment

by:LeTay
ID: 9770384
oBdA,
Unfortunately, the setup in the lmhosts does not fix the problem.
cusrmgr still returns ...can't find PDC for D (D is the trusted domain).
I did follow Microsoft KB article 180094 to setup the lmhosts correctly.
What looks extremely curious for me is that on the same machine (in this case a NT 4 server) when I run the GUI usrmgr.exe, I can do exactly the same action (add a group G from the trusted domain D to another up and running PC) in the same context (logged as domain admin) without any problem.
So the cusrmgr behavior is somewhere different. Uses other API or ???
0
 

Author Comment

by:LeTay
ID: 9770561
oBdA,
Last minute information !
The 'other' domain, D in my example is on W2K.
So PDC or PDC is DC only and my test with lmhosts including the real PDC is now obsolete.
I think that there is a kind of incompatibility in the cusrmgr.exe in this W2K environment...
I need most probably to find another tool than cusrmgr.exe
Your opinion ?
0
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 9772739
Well, cusrmgr.exe is a W2k tool that works as well in NT4, so it shouldn't have a problem with a W2k domain.
Anyway, you can give addusers.exe, from the Resource Kit as well, a try. This is the same script as above, slightly changed to use addusers.
It creates a temporary file consisting of two lines (as in cusrmgr.exe, U1 can be a global group as well):

[local]
Administrators,,D1\U1

If you want to try it manually, create a text file like the one above, and feed it to addusers:
addusers.exe \\Machine /c "Y:\our\FileName.txt"

addusers doesn't set an errorlevel, so the output is parsed instead.
The logfile format is changed a bit as well, it now adds the fail reason ("ping" or "addusers"), separated by a ",", after the machine name. Accordingly, the input list can now contain ","-separated entries after the machine name as well ...

====8<----[NewAdmin.cmd]----
@echo off
setlocal
set AddDomain=D1
set AddUser=U1
set AddGroup=Administrators
set FailList=%~dpn0.log
set ListFile=
set TempFile=%~dpn0.tmp

if %1.==. goto leave

:: *** Create a temporary file for addusers.exe
>"%TempFile%"  echo [Local]
>>"%TempFile%" echo %AddGroup%,,%AddDomain%\%AddUser%

if /i not %1.==/L. goto process
if %2.==. goto leave
set ListFile=%~2
if not exist "%ListFile%" goto leave
if exist "%FailList%" del "%FailList%"
for /f "tokens=1 delims=, " %%a in ('type "%ListFile%"') do call :process %%a
goto leave

:process
set Machine=%1
echo Processing %Machine% ...
ping -n 1 %Machine% | find "TTL" >NUL
if errorlevel 1 goto :NoResponse
:: *** Test mode: remove the "ECHO" in fron of the next line to "arm" the script:
ECHO addusers \\%Machine% /c "%TempFile%" | find "Error adding user" >NUL
if not errorlevel 1 goto :NoAdd
echo ... done.
goto :eof

:NoResponse
echo ... not responding!
if not "%ListFile%"=="" (echo %Machine%,ping)>>"%FailList%"
goto :eof

:NoAdd
echo ... couldn't add %AddDomain%\%AddUser% to %Machine%\%AddGroup%
if not "%ListFile%"=="" (echo %Machine%,addusers)>>"%FailList%"
goto :eof

:leave
if exist "%TempFile%" del "%TempFile%"
====8<----[NewAdmin.cmd]----
0
 

Author Comment

by:LeTay
ID: 9777576
oBdA,
Thanks for the addusers.exe
It works fine !
You get the points
ps : this means that the cusrmgr.exe is somewhere buggy...
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Microsoft Access has a limit of 255 columns in a single table; SQL Server allows tables with over 255 columns, but reading that data is not necessarily simple.  The final solution for this task involved creating a custom text parser and then reading…
Integration Management Part 2
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question