Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 199
  • Last Modified:

Moving Domains

My company is in the testing phases of moving to a new 2003 AD domain, from a NT4 domain.  I need to move the user data from the old local profile to the new local profile.  I am planning on using MOVEUSER.EXE to handle this portion of it.  However, i am having trouble adding the correct domain user to the local group on each computer.

The question i have is.... Is there a script that would pull local group information from the local machine, and then add the appropriate new domain user to a certain local group on the local machine.  An example would be:  In the local admin group there is a domain user account called DOMABC\JohnS (DOMABC = old domain).  I need a script that will read this informaiton and add the new domain account of NEWDOMABC\JohnS (NEWDOMABC = new domain) to the local admin group.  The only problem i need the script to work on 1,000 machines, were the domain username will be different on each machine.
0
SCP028
Asked:
SCP028
  • 7
  • 6
  • 4
1 Solution
 
jmacmickingCommented:
Do the user names themselve's match up exactly?  In the instance you've provided the name in both cases JohnS--can we assume this is always the case?
0
 
SCP028Author Commented:
Yes, the usernames will be the exact same from the old domain to the new one.
0
 
jdeclueCommented:
Try this in the login script, I am not sure if it can work without the right credentials, but it is worth a try.

Net localgroup administrators domainname\%username% /add

replace domainname with your domain.

If this works it will take the currently logged on user and add thier domain account to the local administrators group.

J
0
Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

 
SCP028Author Commented:
This will not work because of the lack of credentials.
0
 
jdeclueCommented:
It is suppose to work, because the login script does not run under their credentials, did you try it.

J
0
 
jdeclueCommented:
Sorry, is this a login script that you are running from Active Directory, through a GPO. Or are you pointing the account to a mapped drive and running a batch file?

J
0
 
SCP028Author Commented:
I am going to have it run as a log in script through GPO.
0
 
jmacmickingCommented:
If jdeclue's method doesn't work you can try this instead.  It's a two part process--since the PC doesn't store the actual account name (just the SID) you'll need to get a list of the accounts before removing the PC from the domain.  Then, once the computer has been joined run the second script to add the names back in.  You'll need to be logged as an admin in both cases.  Note that these scripts could be modified to run remotely; the PC would need to be on and the account used would have to be an admin on the box (a member of Domain Admins for instance) but it's possible.  You could even setup the script to do multiple PCs, although I wouldn't really recommend it though due to difficulty in tracking machines that weren't successfull (they weren't on, something timed out, they haven't been migrated yet, etc.).

First script; pulls the names of the accounts in the administrators group and lists them in a text file:
      Option Explicit
      
      Dim AdminList, UserAccount
      Dim WshNetwork, FSO, OutputFile
      
      Set WshNetwork = WScript.CreateObject("WScript.Network")
      Set FSO = CreateObject("Scripting.FileSystemObject")
      Set OutputFile = fso.CreateTextFile("adminlist.txt", True)
      
      
      Set AdminList = GetObject("WinNT://" & WshNetwork.ComputerName & "/Administrators")
      
      For Each UserAccount In AdminList.Members
            If Not UserAccount.Name = "Administrator" Then OutputFile.WriteLine UserAccount.Name
      Next
      OutputFile.Close

Second script; pulls the names from the text file and adds them to the administrators group:
      Option Explicit

      Dim AdminList, UserAccount
      Dim WshNetwork, FSO, InputFile

      Set WshNetwork = WScript.CreateObject("WScript.Network")
      Set FSO = CreateObject("Scripting.FileSystemObject")
      Set InputFile = fso.OpenTextFile("adminlist.txt", 1)


      Set AdminList = GetObject("WinNT://" & WshNetwork.ComputerName & "/Administrators")

      While Not InputFile.AtEndOfStream
            UserAccount = InputFile.ReadLine
            AdminList.Add "WinNT://" & UserAccount
      Wend

      InputFile.Close
0
 
jdeclueCommented:
Ok, back that up. I wasn't thinking. Startup/Shutdown (Computer Configuration) scripts runs as Administrator, Logon/Logoff runs as USER. So my idea probably will not work. ;)

J
0
 
jdeclueCommented:
These people are already logging in as local admin, but on the old domain, right? Is there a trust setup already to the new domain, with thier other account there?
0
 
SCP028Author Commented:
Yes, there will be a trust setup with the old domain.  
0
 
SCP028Author Commented:
Jmacmicking,

Regarding the script you posted.  Thanks.  There are some problems though:
1.  The 1st script works great.  However, when you go to run it again, it bombs out if any one account already exists on the machine. i.e domain admins.

2.  I need the second part of the script to put the new domain name in the first part of the username.  
0
 
jmacmickingCommented:
1.
If you have a list of accounts that you don't want to add back to the PC you can:
  Modify the first script to prevent it adding any accounts that would be undesirable (as I already did with the local Administrators account)
  Modify the second script so it doesn't add those accounts.

If you need help with either method just provide a list of the accounts you don't want to add and I'll add it to the script.  Or, I can use generic names to get you started and let you handle the rest.  

If you just want to avoid duplicates I can add in a section that searches the current list of accounts and skips any that already exist.  

Lemme know which works best for you.

2.
Can you give an example of the exact format you want the new name added in?  
The PC should automatically use the current login domain when you add the names back in so, usually, logging in with a domain account that has administrative rights is all that's necessary.  If you aren't using an account on the new domain it'll be a bit more of a bear--in fact, unless there's a trust set up, I can't think of any good way to do it.
0
 
SCP028Author Commented:
1.  Avoiding duplicates would be the way to go.  

2.  I would like the new name added as "newdomain\username".  With "newdomain" being the name of the new domain, and "username" being the username of whatever user was previously added to the local admin group.  I am going to test the script right now in our lab to see if it will append the username saved to adminlist.txt to include the new domain.
0
 
jmacmickingCommented:
"Quick and dirty" avoid duplicates; put this line right before the Add statement
  ON ERROR RESUME NEXT
After the Add statement put
  ON ERROR GOTO 0

This allows the occasional error when adding an account but still halts the script if other errors crop up.

A better method to avoid duplicates would be to use a dictionary object to track all existing accounts:
      Option Explicit

      Dim AdminList, UserAccount
      Dim WshNetwork, FSO, InputFile, CurAdminsList, AdminAccount

      Set WshNetwork = WScript.CreateObject("WScript.Network")
      Set FSO = CreateObject("Scripting.FileSystemObject")
      Set CurAdminsList = CreateObject("Scripting.Dictionary")
      Set InputFile = fso.OpenTextFile("adminlist.txt", 1)


      Set AdminList = GetObject("WinNT://" & WshNetwork.ComputerName & "/Administrators")

      For Each AdminAccount In AdminList.Members
            CurAdminsList.Add AdminAccount.Name, AdminAccount.Name
      Next

      While Not InputFile.AtEndOfStream
            UserAccount = InputFile.ReadLine
            'msgbox WshNetwork.UserDomain & "\" & UserAccount
            If Not CurAdminsList.Exists(UserAccount) Then
                  AdminList.Add "WinNT://" & UserAccount
            End If
      Wend

      InputFile.Close
0
 
jdeclueCommented:
If there will be a trust setup, then the login script will work just fine, the local user is a local administrator and they can add accounts from the new domain to the local administrator group. ;) Since %username% does not include the domain, by setting the new domainname in the command, it will work just fine.

J
 
0
 
SCP028Author Commented:
I am in the process of testing both of these suggestions in the lab.  Unfortunetly some of my lab equipment was pulled yesterday, and put into production (hardware failures...).
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 7
  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now