Solved

Command line utility to remotely grant local admin to specific domain users

Posted on 2003-11-14
10
3,958 Views
Last Modified: 2012-08-13
We have around 200 PCs. Almost all running W2K. Some still NT 4.0 sp 6
For a reason which is too long to explain here, we need on each of these PCs to add a specific user say U1 from a specific trusted domain says D1 (this is not the domain's PC) in the local administrators group of the PC.
"Manually" it is not very difficult to do, running tool like usrmgr.exe, selecting the PC etc etc... and doing that remotetly of course.
But you imagine ? 200 PCs to do !
I was thinking of doing it still remotely but with a command line utility where I could specify the machine name etc...
I know some tools that works but NOT remotely, locally. Placing this in the login script was a first idea, but only few people are themselves local admin so the tool will not work...
Any idea ?
0
Comment
Question by:LeTay
  • 6
  • 3
10 Comments
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
You'll need cusrmgr.exe from the W2k Resource Kit (you have the Resource Kit, don't you ;).
Then test this script; it accepts either a machine name to process as single argument, or /L as the first argument and a file name with a list of machines (one machine per line) to process. If run with a list, it will create a logfile (same name as batch file, with the extension ".log") with machine names that weren't running.
As usual: No warranties included, test it before you apply it in earnest, use it at your own risk ...

====8<----[NewAdmin.cmd]----
@echo off
setlocal
set AddDomain=D1
set AddAdmin=U1
set AddGroup=Administrators
set FailList=%~dpn0.log
set ListFile=

if %1.==. goto leave

if /i not %1.==/L. goto process
if %2.==. goto leave
set ListFile=%~2
if not exist "%ListFile%" goto leave
if exist "%FailList%" del "%FailList%"
for /f %%a in ('type "%ListFile%"') do call :process %%a
goto leave

:process
set Machine=%1
echo Processing %Machine% ...
ping -n 1 %Machine% | find "TTL" >NUL
if errorlevel 1 goto :NoResponse
:: *** Test mode: remove the "ECHO" in fron of the next line to "arm" the script:
ECHO cusrmgr -u %AddDomain%\%AddAdmin% -m \\%Machine% -alg "%AddGroup%"
echo ... done.
goto :eof

:NoResponse
echo ... not responding
if not "%ListFile%"=="" (echo %Machine%)>>"%FailList%"
goto :eof

:leave
====8<----[NewAdmin.cmd]----
0
 
LVL 10

Expert Comment

by:BloodRed
Comment Utility
This isn't exactly an answer, but I'd suggest adding a domain group to the local admin group of all your systems instead of a specific user account.  This way, when you want to remove this user or the next time you want to add a user to the local admin group of your systems, you simply modify the membership of the domain group.  
0
 

Author Comment

by:LeTay
Comment Utility
BloodRed,
There is 'fortunately' already a global domain group as member of the local admin group on all these machines.
But the problem here is that the specific user that should be member of this global group is from another trusted domain and so can't be added to the global group of the other domain.
Now as you suggest, we should add a global domain group of that OTHER domain to local admin of all PCs.
But adding that group or a specific user is just my question : how to automate that from remote ?
I will have a look at the tool suggested by oBdA...
0
 

Author Comment

by:LeTay
Comment Utility
oBdA,
I tried cusrmgr and it works fine but I still have a technical issue.
Remember, the PCs domain I was speaking about is not the same as the specific user I need to add to local admins (says user to add is U from the other domain D)
So, I issued :
cusrmgr -u D\U -m \\MachineName -alg Administrators
I got the error message :  Adding D\U to administrators can't find PDC of D
Now I am not sure : does this mean that I really can't see a PDC for that domain D, or that there is a trust mssing between the domains ???
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
Well, you said that the trust is setup; it works obviously, or you wouldn't be able to add the user using the GUI either.
There are several possibilities to try:
Are those domains W2k or NT4? If the former, you can try to specify the user in the "user@the.other.domain" format (provided you have DNS lookup for the other domain).
And/or you can try to enter the PDC and domain name of the other domain in the lmhosts file:
How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues
http://support.microsoft.com/?kbid=180094
If this fails, we can give usrtogrp.exe (from the Resource Kit as well) a try, provided the account name form the other domain doesn't exist in your "regular" domain.
If this fails, too, there's always the "last resort" "remote execution" with at.exe or psexec, but let's try cusrmgr first.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:LeTay
Comment Utility
oBdA,
I think "we" are close to the solution (and the 500 points for you !)
When trying the cusrmgr on the server from where it will finally run, the message was the same. However, on that same server (NT 4), running the GUI for user management, I tried to add to a local group -> locate the domain in question -> got the list of users and groups -> so okay with the GUI
I will test you second idea (LMHOSTS) as soon as I get the other PDC information.
ps : by the way, it is not a user to be added, but a global group from the other domain. But this does not change anything with the problem...
0
 

Author Comment

by:LeTay
Comment Utility
oBdA,
Unfortunately, the setup in the lmhosts does not fix the problem.
cusrmgr still returns ...can't find PDC for D (D is the trusted domain).
I did follow Microsoft KB article 180094 to setup the lmhosts correctly.
What looks extremely curious for me is that on the same machine (in this case a NT 4 server) when I run the GUI usrmgr.exe, I can do exactly the same action (add a group G from the trusted domain D to another up and running PC) in the same context (logged as domain admin) without any problem.
So the cusrmgr behavior is somewhere different. Uses other API or ???
0
 

Author Comment

by:LeTay
Comment Utility
oBdA,
Last minute information !
The 'other' domain, D in my example is on W2K.
So PDC or PDC is DC only and my test with lmhosts including the real PDC is now obsolete.
I think that there is a kind of incompatibility in the cusrmgr.exe in this W2K environment...
I need most probably to find another tool than cusrmgr.exe
Your opinion ?
0
 
LVL 82

Accepted Solution

by:
oBdA earned 500 total points
Comment Utility
Well, cusrmgr.exe is a W2k tool that works as well in NT4, so it shouldn't have a problem with a W2k domain.
Anyway, you can give addusers.exe, from the Resource Kit as well, a try. This is the same script as above, slightly changed to use addusers.
It creates a temporary file consisting of two lines (as in cusrmgr.exe, U1 can be a global group as well):

[local]
Administrators,,D1\U1

If you want to try it manually, create a text file like the one above, and feed it to addusers:
addusers.exe \\Machine /c "Y:\our\FileName.txt"

addusers doesn't set an errorlevel, so the output is parsed instead.
The logfile format is changed a bit as well, it now adds the fail reason ("ping" or "addusers"), separated by a ",", after the machine name. Accordingly, the input list can now contain ","-separated entries after the machine name as well ...

====8<----[NewAdmin.cmd]----
@echo off
setlocal
set AddDomain=D1
set AddUser=U1
set AddGroup=Administrators
set FailList=%~dpn0.log
set ListFile=
set TempFile=%~dpn0.tmp

if %1.==. goto leave

:: *** Create a temporary file for addusers.exe
>"%TempFile%"  echo [Local]
>>"%TempFile%" echo %AddGroup%,,%AddDomain%\%AddUser%

if /i not %1.==/L. goto process
if %2.==. goto leave
set ListFile=%~2
if not exist "%ListFile%" goto leave
if exist "%FailList%" del "%FailList%"
for /f "tokens=1 delims=, " %%a in ('type "%ListFile%"') do call :process %%a
goto leave

:process
set Machine=%1
echo Processing %Machine% ...
ping -n 1 %Machine% | find "TTL" >NUL
if errorlevel 1 goto :NoResponse
:: *** Test mode: remove the "ECHO" in fron of the next line to "arm" the script:
ECHO addusers \\%Machine% /c "%TempFile%" | find "Error adding user" >NUL
if not errorlevel 1 goto :NoAdd
echo ... done.
goto :eof

:NoResponse
echo ... not responding!
if not "%ListFile%"=="" (echo %Machine%,ping)>>"%FailList%"
goto :eof

:NoAdd
echo ... couldn't add %AddDomain%\%AddUser% to %Machine%\%AddGroup%
if not "%ListFile%"=="" (echo %Machine%,addusers)>>"%FailList%"
goto :eof

:leave
if exist "%TempFile%" del "%TempFile%"
====8<----[NewAdmin.cmd]----
0
 

Author Comment

by:LeTay
Comment Utility
oBdA,
Thanks for the addusers.exe
It works fine !
You get the points
ps : this means that the cusrmgr.exe is somewhere buggy...
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now