?
Solved

Remove local administrators group members and assign them as power users

Posted on 2007-07-22
4
Medium Priority
?
1,407 Views
Last Modified: 2008-03-17
Hi Experts;

I want you to help me in writing a script that will do the following:

1- Keeps the following groups or users in the local administrators group:
        Domain\domain admins
        Domain\support
        Computername\manager - local user account


2- Disable the local administrator account if exist since our domain policy is to rename the administrator account to (manager) but wrongly during some installations of windows some of the technical support team adds a local account named (manager) in addition to administrator, so the policy cannot be applied because of name conflict

3- Remove any other member from local administrators group and assign him to power users group

4- (optional) reset the password for account manager, for example to password (abcd1234)




Noting that I will deploy this script using Altiris Deployment server as a job also note our environment have win Xp and windows 2000
0
Comment
Question by:abd_1980us
  • 2
  • 2
4 Comments
 
LVL 65

Expert Comment

by:RobSampson
ID: 19545458
Hi abd_1980us,

Try running this script on a client computer, as a member of the Domain Admins group:
'=========================
Set wshNetwork = WScript.CreateObject( "WScript.Network" )
strUserDomain = wshNetwork.UserDomain
strUserComputer = wshNetwork.ComputerName
strUserName = wshNetwork.UserName

' Get the group that we are controlling
strGroupToCheck = "Administrators"
strGroupToAddTo = "Power Users"
Set objAdmins = GetObject("WinNT://" & strUserComputer & "/" & strGroupToCheck)
Set objPowerUsers = GetObject("WinNT://" & strUserComputer & "/" & strGroupToAddTo)

' Define the user groups or accounts that are required to be in the group
arrDefaultUsers = Array(strUserDomain & "/Domain Admins", strUserDomain & "/Support", strUserComputer & "/Manager")

' Make sure the DefaultUsers exist in the group
For intCount = LBound(arrDefaultUsers) To UBound(arrDefaultUsers)
      On Error Resume Next
      Set objWinntUser = GetObject("WinNT://" & arrDefaultUsers(intCount))
      If Err.Number = 0 Then
            On Error GoTo 0
            If IsMemberOfGroup(strUserComputer, objWinntUser, strGroupToCheck) = False Then
                  objAdmins.Add(objWinntUser.ADsPath)
                  'MsgBox strUserDomain & "/" & strUserName & " was added to the " & strGroupToCheck & " group."
            'Else
                  'MsgBox strUserDomain & "/" & strUserName & " is already a member of the " & strGroupToCheck & " group."
            End If
      Else
            MsgBox arrDefaultUsers(intCount) & " could not be found."
            Err.Clear
            On Error GoTo 0
      End If
Next

' Now check remaining users in the Administrators group
For Each objMember In objAdmins.Members
      ' Get the proper account name
      If InStr(objMember.ADsPath, strUserComputer) > 0 Then
            strAccountName = Replace(objMember.ADsPath, "WinNT://" & strUserDomain & "/", "")
      Else
            strAccountName = Replace(objMember.ADsPath, "WinNT://", "")
      End If
      
      ' Check if they "should" be there or not
      boolValidMember = False
      For intCount = LBound(arrDefaultUsers) To UBound(arrDefaultUsers)
            If LCase(strAccountName) = LCase(arrDefaultUsers(intCount)) Then boolValidMember = True
      Next

      ' Reset the Administrator password, or move them to the Power Users group
      If boolValidMember = False Then
            If LCase(strAccountName) = LCase(strUserComputer & "/Administrator") Then
                  If objMember.AccountDisabled = False Then
                        objMember.AccountDisabled = True
                        objMember.SetInfo
                  End If
            Else
                  objAdmins.Remove(objMember.AdsPath)
                  objPowerUsers.Add(objMember.ADsPath)
            End If
      End If
Next

' Now reset the manager password
Set objUser = GetObject("WinNT://" & strUserComputer & "/Manager")
objUser.SetPassword("password")

MsgBox "Done"

Function IsMemberOfGroup(strUserDomain, objUser, strGroup) 'the user is a member of a specified group
      IsMemberOfGroup = False
      Dim objGroup
      On Error Resume Next
      Set objGroup = GetObject("WinNT://" & strUserDomain & "/" & strGroup & ",group")
      If Err.Number Then
            IsMemberOfGroup = "Error"
      Else
            IsMemberOfGroup = objGroup.IsMember(objUser.ADsPath)
            'MsgBox objUser.ADsPath
      End If
End Function
'======================

Regards,

Rob.
0
 

Author Comment

by:abd_1980us
ID: 19546926
Hi RobSampson,
I want to thank you for helping me, also I want to inform you two things:
1- the first thing I ran the script on a pc that have a special case, the account (manager) not exist, only (administrator) account is available, at this case I suggest to create a new account (manager) and disable the (administrator) account
error:
Script: ...
line: 64
char 1
error: the group could not be found code 800708AC
source: (null)
2- some groups of computers I need the user be in Power users group + Network Configuration Operators group, how can I modify the script at this case
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 2000 total points
ID: 19552538
Hi, try this version (untested).
I have added a couple of functions....one checks for the existence of a user, the other Adds a user account, with the password set to never expire.
Also, to add the users to another group, I added three lines, but not together.  They were:
strGroupToAddTo2 = "Network Configuration Operators"
Set objNetConfOps = GetObject("WinNT://" & strUserComputer & "/" & strGroupToAddTo2)
objNetConfOps.Add(objMember.ADsPath)

'======================
'Change_Local_Admin_Members_To_Power_Users.vbs
Set wshNetwork = WScript.CreateObject( "WScript.Network" )
strUserDomain = wshNetwork.UserDomain
strUserComputer = wshNetwork.ComputerName
strUserName = wshNetwork.UserName

' Get the group that we are controlling
strGroupToCheck = "Administrators"
strGroupToAddTo = "Power Users"
strGroupToAddTo2 = "Network Configuration Operators"
Set objAdmins = GetObject("WinNT://" & strUserComputer & "/" & strGroupToCheck)
Set objPowerUsers = GetObject("WinNT://" & strUserComputer & "/" & strGroupToAddTo)
Set objNetConfOps = GetObject("WinNT://" & strUserComputer & "/" & strGroupToAddTo2)

' Define the user groups or accounts that are required to be in the group
arrDefaultUsers = Array(strUserDomain & "/Domain Admins", strUserDomain & "/Support", strUserComputer & "/Manager")

' Make sure the DefaultUsers exist in the group
For intCount = LBound(arrDefaultUsers) To UBound(arrDefaultUsers)
      boolAccountExists = DoesUserExist(arrDefaultUsers(intCount))
      ' If the account from the array actually exists, then check for it's membership in strGroupToCheck
      If boolAccountExists = True Then
            Set objWinntUser = GetObject("WinNT://" & arrDefaultUsers(intCount))
            If Err.Number = 0 Then
                  On Error GoTo 0
                  If IsMemberOfGroup(strUserComputer, objWinntUser, strGroupToCheck) = False Then
                        objAdmins.Add(objWinntUser.ADsPath)
                        'MsgBox strUserDomain & "/" & strUserName & " was added to the " & strGroupToCheck & " group."
                  'Else
                        'MsgBox strUserDomain & "/" & strUserName & " is already a member of the " & strGroupToCheck & " group."
                  End If
            Else
                  MsgBox arrDefaultUsers(intCount) & " could not be found."
                  Err.Clear
                  On Error GoTo 0
            End If
      Else
            ' Check if the manager account does not exist, so we can create it
            If LCase(Mid(arrDefaultUsers(intCount), InStr(arrDefaultUsers(intCount), "/") + 1)) = "manager" Then
                  ' Params are: loginname, domain (computer), full name, password, description, group_to_add_user_to
                  AddUser "manager", strUserComputer, "Manager Account", "password", "This is a new Admin account", strGroupToCheck
            End If
      End If
Next

' Now check remaining users in the Administrators group
For Each objMember In objAdmins.Members
      ' Get the proper account name
      If InStr(objMember.ADsPath, strUserComputer) > 0 Then
            strAccountName = Replace(objMember.ADsPath, "WinNT://" & strUserDomain & "/", "")
      Else
            strAccountName = Replace(objMember.ADsPath, "WinNT://", "")
      End If
      
      ' Check if they "should" be there or not
      boolValidMember = False
      For intCount = LBound(arrDefaultUsers) To UBound(arrDefaultUsers)
            If LCase(strAccountName) = LCase(arrDefaultUsers(intCount)) Then boolValidMember = True
      Next

      ' Disable the Administrator account, or if the account is not Administrator move them to another group
      If boolValidMember = False Then
            If LCase(strAccountName) = LCase(strUserComputer & "/Administrator") Then
                  If objMember.AccountDisabled = False Then
                        objMember.AccountDisabled = True
                        objMember.SetInfo
                  End If
            Else
                  objAdmins.Remove(objMember.AdsPath)
                  objPowerUsers.Add(objMember.ADsPath)
                  objNetConfOps.Add(objMember.ADsPath)
            End If
      End If
Next

' Now reset the manager password
Set objUser = GetObject("WinNT://" & strUserComputer & "/Manager")
objUser.SetPassword("password")

MsgBox "Done"

Function DoesUserExist(strUser)
      On Error Resume Next
      Set objUser = GetObject("WinNT://" & strUser)
      If Err Then
            DoesUserExist = False
            Err.Clear
            On Error GoTo 0
      Else
            On Error GoTo 0
            Set objUser = Nothing
            DoesUserExist = True
      End If
End Function

Function IsMemberOfGroup(strUserDomain, objUser, strGroup) 'the user is a member of a specified group
      IsMemberOfGroup = False
      Dim objGroup
      On Error Resume Next
      Set objGroup = GetObject("WinNT://" & strUserDomain & "/" & strGroup & ",group")
      If Err.Number Then
            IsMemberOfGroup = "Error"
      Else
            IsMemberOfGroup = objGroup.IsMember(objUser.ADsPath)
            'MsgBox objUser.ADsPath
      End If
End Function

Sub AddUser(strUser,strDomain,strFullname,strPassword,strDesc, strGroupToAddTo)
      Dim Computer
      Dim User

      arrInvalidChars = Array("""", "/", "\", "[", "]", ":", ";", "|", "=", ",", "+", "*", "?", ">", ".")
      boolValid = True
      If Len(strUser) > 20 Then
            boolValid = False
      End If
      For intCount = LBound(arrInvalidChars) To UBound(arrInvalidChars)
            If InStr(strUser, arrInvalidChars(intCount)) > 0 Then
                  boolValid = False
            End If
      Next
      If boolValid = True Then
            Set Computer = Getobject("WinNT://" & strDomain)
            Set User = computer.create("User",strUser)
            User.fullname = strFullname
            User.Description = strDesc
            Call User.SetPassword(strPassword)
            User.setinfo
           
            Set objGroup = GetObject("WinNT://" & strDomain & "/" & strGroupToAddTo)
            Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser)
            objGroup.Add(objUser.ADsPath)
     
            Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
            objUser.Put "UserFlags", objUser.Get("UserFlags") Xor ADS_UF_DONT_EXPIRE_PASSWD
            objUser.setinfo
     
            Set User = Nothing
            Set computer = Nothing
                  strLogData = strLogData & VbCrLf & strUser & " has been created and added to the " & strGroupToAddTo & " group on " & strDomain & "."
      Else
                  strLogData = strLogData & VbCrLf & "FAILED CREATING USER: Creating user: " & strUser & " - It contains invalid characters or is more than 20 characters long."
          '  MsgBox strUser & " can not be created. It contains invalid characters or is more than 20 characters long."
      End If
End Sub
'==================

Regards,

Rob.
0
 

Author Comment

by:abd_1980us
ID: 19582896
thak you RobSampson, you are very great
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It is a real story and is one of my scariest tech experiences. Most users think that IT experts like us know how to fix all computer problems. However, if there is a time constraint and you MUST not fail the task or you will lose your job, a simple …
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question