Jeffrey Renfroe
asked on
Use a vb script to add/remove groups from local administrator
Hello everyone. I would like to use a vbscript to cleanup the groups that are local administrators on workstation.
My plan is to look at the first four in the computer name and add the correct groups using that. For example, computers beginning with USAT would have the USAT_PC_TECH group added and all others removed.
Is this possible? I looked at doing a change in the registry but had no luck so far. Any advice would be greatly appreciated.
My plan is to look at the first four in the computer name and add the correct groups using that. For example, computers beginning with USAT would have the USAT_PC_TECH group added and all others removed.
Is this possible? I looked at doing a change in the registry but had no luck so far. Any advice would be greatly appreciated.
It might be easier to do this using the Restricted Groups setting in Group Policy.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
If you do decide to go the script route then the below should work. Customize the value of the strDomain variable with the NETBIOS name of your domain. Customize entries in the objGroups dictionary with the 4-character prefix and the corresponding group to add.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
If you do decide to go the script route then the below should work. Customize the value of the strDomain variable with the NETBIOS name of your domain. Customize entries in the objGroups dictionary with the 4-character prefix and the corresponding group to add.
strDomain = "YOURDOMAIN"
Set objGroups = CreateObject("Scripting.Dictionary")
objGroups.Add "USAT", "USAT_PC_TECH"
objGroups.Add "USXX", "USXX_PC_TECH"
objGroups.Add "USYY", "USYY_PC_TECH"
arrGroups = objGroups.Keys
Set WshShell = WScript.CreateObject("WScript.Shell")
strPrefix = Left(WSHShell.ExpandEnvironmentStrings("%computername%"), 4)
For Each strGroup in arrGroups
If strGroup = strPrefix Then
Set objLocalGroup = GetObject("WinNT://./Administrators")
strADGroup = "WinNT://" & strDomain & "/" & objGroups.Item(strGroup)
Set objADGroup = GetObject(strADGroup)
objLocalGroup.Add(objADGroup.ADsPath)
End If
Next
ASKER
Thank you for the responses.
I have changed my approach and now am only going to remove two groups. I have worked on a modification based on the two scripts but I am having a few issues.
Any suggestions?
I have changed my approach and now am only going to remove two groups. I have worked on a modification based on the two scripts but I am having a few issues.
Any suggestions?
strDomain = "FDS"
Set objGroups = CreateObject("Scripting.Dictionary")
objGroups.Remove "USAT", "USAT_PC_TECH"
objGroups.Remove "USAT", "USAT_Packaging"
arrGroups = objGroups.Keys
Set WshShell = WScript.CreateObject("WScript.Shell")
strPrefix = Left(WSHShell.ExpandEnvironmentStrings("%computername%"), 4)
For Each strGroup in arrGroups
If strGroup = strPrefix Then
Set objLocalGroup = GetObject("WinNT://./Administrators")
strADGroup = "WinNT://" & strDomain & "/" & objGroups.Item(strGroup)
Set objADGroup = GetObject(strADGroup)
objLocalGroup.Remove(objADGroup.ADsPath)
End If
Next
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks again for the posts. I have a lot of locations that need the groups removed and only one that does not. Could I do <> "USAR" (location not changing) rather than create 300 with different strPrefix?
ASKER
I have the script working in my test lab. I have one more question. As you can tell, I am new to scripting and do not know the answer to this. Will the script try to do every PC across the domain at once or only the local PC that I run it on?
For example, I am at my production workstation. If I run the script here, will it only remove the groups from my system or try to do it to all of them across the entire domain.
Thank you for the help. It is very much appreciated.
For example, I am at my production workstation. If I run the script here, will it only remove the groups from my system or try to do it to all of them across the entire domain.
Thank you for the help. It is very much appreciated.
'On Error Resume Next
strDomain = "natest"
arrGroups = Array("TLNA-Helpdesk","Domain Admins")
Set WshShell = WScript.CreateObject("WScript.Shell")
strPrefix = Left(WSHShell.ExpandEnvironmentStrings("%computername%"), 4)
For Each strGroup in arrGroups
If strPrefix <> "TLNA" Then
Set objLocalGroup = GetObject("WinNT://./Administrators")
strADGroup = "WinNT://" & strDomain & "/" & strGroup
Set objADGroup = GetObject(strADGroup)
objLocalGroup.Remove(objADGroup.ADsPath)
End If
Next
ASKER
Thank you for the response.
Open in new window