Solved

Use a vb script to add/remove groups from local administrator

Posted on 2008-06-19
7
523 Views
Last Modified: 2012-05-05
Hello everyone. I would like to use a vbscript to cleanup the groups that are local administrators on workstation.

My plan is to look at the first four in the computer name and add the correct groups using that. For example, computers beginning with USAT would have the USAT_PC_TECH group added and all others removed.

Is this possible? I looked at doing a change in the registry but had no luck so far. Any advice would be greatly appreciated.
0
Comment
Question by:Lorrec
  • 4
  • 2
7 Comments
 
LVL 7

Expert Comment

by:ms-pro
ID: 21823687
try this
Removes other from the local Administrators group on a computer named MyComputer. 
 

strComputer = "MyComputer"

Set objGroup = GetObject("WinNT://" & strComputer & "/Adminstrators,group")

Set objGroup = GetObject("WinNT://" & strComputer & "/other,group")

 

objGroup.Remove(objUser.ADsPath)

----------------------------------------------------------------------
 

Adds a group (everyone) to the local Administrators group on a computer named MyComputer. 
 

strComputer = "MyComputer"

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")

Set objGroup = GetObject("WinNT://" & strComputer & "/everyone,group")

objGroup.Add(objGroup.ADsPath)

Open in new window

0
 
LVL 38

Expert Comment

by:Shift-3
ID: 21823716
It might be easier to do this using the Restricted Groups setting in Group Policy.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

If you do decide to go the script route then the below should work.  Customize the value of the strDomain variable with the NETBIOS name of your domain.  Customize entries in the objGroups dictionary with the 4-character prefix and the corresponding group to add.


strDomain = "YOURDOMAIN"
 

Set objGroups = CreateObject("Scripting.Dictionary")

objGroups.Add "USAT", "USAT_PC_TECH"

objGroups.Add "USXX", "USXX_PC_TECH"

objGroups.Add "USYY", "USYY_PC_TECH"
 

arrGroups = objGroups.Keys
 

Set WshShell = WScript.CreateObject("WScript.Shell")

strPrefix = Left(WSHShell.ExpandEnvironmentStrings("%computername%"), 4)
 

For Each strGroup in arrGroups

	If strGroup = strPrefix Then

		Set objLocalGroup = GetObject("WinNT://./Administrators")

		strADGroup = "WinNT://" & strDomain & "/" & objGroups.Item(strGroup)

		Set objADGroup = GetObject(strADGroup)

		objLocalGroup.Add(objADGroup.ADsPath)

	End If

Next

Open in new window

0
 

Author Comment

by:Lorrec
ID: 21824775
Thank you for the responses.

I have changed my approach and now am only going to remove two groups. I have worked on a modification based on the two scripts but I am having a few issues.

Any suggestions?
strDomain = "FDS"

 

Set objGroups = CreateObject("Scripting.Dictionary")

objGroups.Remove "USAT", "USAT_PC_TECH"

objGroups.Remove "USAT", "USAT_Packaging"
 

 

arrGroups = objGroups.Keys

 

Set WshShell = WScript.CreateObject("WScript.Shell")

strPrefix = Left(WSHShell.ExpandEnvironmentStrings("%computername%"), 4)

 

For Each strGroup in arrGroups

	If strGroup = strPrefix Then

		Set objLocalGroup = GetObject("WinNT://./Administrators")

		strADGroup = "WinNT://" & strDomain & "/" & objGroups.Item(strGroup)

		Set objADGroup = GetObject(strADGroup)

		objLocalGroup.Remove(objADGroup.ADsPath)

	End If

Next

Open in new window

0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 38

Accepted Solution

by:
Shift-3 earned 500 total points
ID: 21825154
Try this.


On Error Resume Next
 

strDomain = "FDS"

 

arrGroups = Array("USAT_PC_TECH","USAT_Packaging")

 

Set WshShell = WScript.CreateObject("WScript.Shell")

strPrefix = Left(WSHShell.ExpandEnvironmentStrings("%computername%"), 4)
 

For Each strGroup in arrGroups

	If strPrefix = "USAT" Then

		Set objLocalGroup = GetObject("WinNT://./Administrators")

		strADGroup = "WinNT://" & strDomain & "/" & strGroup

		Set objADGroup = GetObject(strADGroup)

		objLocalGroup.Remove(objADGroup.ADsPath)

	End If

Next

Open in new window

0
 

Author Comment

by:Lorrec
ID: 21825946
Thanks again for the posts. I have a lot of locations that need the groups removed and only one that does not. Could I do  <> "USAR"  (location not changing) rather than create 300 with different strPrefix?
0
 

Author Comment

by:Lorrec
ID: 21835048
I have the script working in my test lab. I have one more question. As you can tell, I am new to scripting and do not know the answer to this. Will the script try to do every PC across the domain at once or only the local PC that I run it on?

For example, I am at my production workstation. If I run the script here, will it only remove the groups from my system or try to do it to all of them across the entire domain.

Thank you for the help. It is very much appreciated.
'On Error Resume Next

 

strDomain = "natest"

 

arrGroups = Array("TLNA-Helpdesk","Domain Admins")

 

Set WshShell = WScript.CreateObject("WScript.Shell")

strPrefix = Left(WSHShell.ExpandEnvironmentStrings("%computername%"), 4)

 

For Each strGroup in arrGroups

	If strPrefix <> "TLNA" Then

		Set objLocalGroup = GetObject("WinNT://./Administrators")

		strADGroup = "WinNT://" & strDomain & "/" & strGroup

		Set objADGroup = GetObject(strADGroup)

		objLocalGroup.Remove(objADGroup.ADsPath)

	End If

Next

Open in new window

0
 

Author Closing Comment

by:Lorrec
ID: 31468813
Thank you for the response.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently I finished a vbscript that I thought I'd share.  It uses a text file with a list of server names to loop through and get various status reports, then writes them all into an Excel file.  Originally it was put together for our Altiris server…
This is an addendum to the following article: Acitve Directory based Outlook Signature (http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_24950055.html) The script is fine, and works in normal client-server domains…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now