Solved

Clean local admin group with multiple domains

Posted on 2008-06-23
6
437 Views
Last Modified: 2012-05-05
Hello everyone. I received some help earlier with a script that cleans up local admininstrator. I am working on modifying it to do multiple domains rather just one.

I added strDomain = "lab" to part of the If statement. I was thinking that I could use this method with all domains. However,  the script hangs on the second domain. I am assuming that I cannot have multiple items with the same name.

Do I need to create different variables? Thank you for any assistance.
strDomain = "lab"

 

arrGroups = Array("domain admins","SMS administrators")

 

Set WshShell = WScript.CreateObject("WScript.Shell")

strPrefix = Left(WSHShell.ExpandEnvironmentStrings("%computername%"), 4)

 

For Each strGroup in arrGroups

	If strPrefix <> "USATL" And strDomain = "lab" Then

		Set objLocalGroup = GetObject("WinNT://./Administrators")

		strADGroup = "WinNT://" & strDomain & "/" & strGroup

		Set objADGroup = GetObject(strADGroup)

		objLocalGroup.Remove(objADGroup.ADsPath)

		LogItem "domain admins" & " and " & "SMS administrators" & " were removed from the local administrator group."

	End If

Next
 

strDomain = "lab2"

 

arrGroups = Array("domain admins","SMS administrators")

 

Set WshShell = WScript.CreateObject("WScript.Shell")

strPrefix = Left(WSHShell.ExpandEnvironmentStrings("%computername%"), 4)

 

For Each strGroup in arrGroups

	If strPrefix <> "USATL" And strDomain = "lab2" Then

		Set objLocalGroup = GetObject("WinNT://./Administrators")

		strADGroup = "WinNT://" & strDomain & "/" & strGroup

		Set objADGroup = GetObject(strADGroup)

		objLocalGroup.Remove(objADGroup.ADsPath)

		LogItem "domain admins" & " and " & "SMS administrators" & " were removed from the local administrator group."

	End If

Next

Open in new window

0
Comment
Question by:Lorrec
  • 3
  • 3
6 Comments
 
LVL 24

Accepted Solution

by:
purplepomegranite earned 500 total points
ID: 21850943
I think first you need to explain your domain set-up.  Are you trying to run this in a forest that comprises several domains?  There is nothing particularly wrong with the script as far as variables go, though the attached does tidy it up a little.

If it is hanging on the second domain part, I would imagine it is hanging trying to query AD, which is why I am interested in the network set-up.  Have you tried fully qualified domains? e.g. lab.local, lab2.local
arrGroups = Array("domain admins","SMS administrators")

 

Set WshShell = WScript.CreateObject("WScript.Shell")

strPrefix = Left(WSHShell.ExpandEnvironmentStrings("%computername%"), 4)

 

strDomain = "lab"

For Each strGroup in arrGroups

        If strPrefix <> "USATL" Then

                Set objLocalGroup = GetObject("WinNT://./Administrators")

                Set objADGroup = GetObject("WinNT://" & strDomain & "/" & strGroup)

                objLocalGroup.Remove(objADGroup.ADsPath)

                LogItem "domain admins" & " and " & "SMS administrators" & " were removed from the local administrator group."

        End If

Next

 

strDomain = "lab2"

For Each strGroup in arrGroups

        If strPrefix <> "USATL" Then

                Set objLocalGroup = GetObject("WinNT://./Administrators")

                Set objADGroup = GetObject("WinNT://" & strDomain & "/" & strGroup)

                objLocalGroup.Remove(objADGroup.ADsPath)

                LogItem "domain admins" & " and " & "SMS administrators" & " were removed from the local administrator group."

        End If

Next

Open in new window

0
 

Author Comment

by:Lorrec
ID: 21856779
My plan was to deploy the script through SMS to each system for cleanup. I was originally going to make a separate package for each domain. However, I thought I could combine them into one.

My previous example was not very good. I will be removing different groups from each domain. Below is a better example.

Now, I get an error message. Microsoft VBScript compilation error: Invalid 'for' loop control variable. It is at For Each strGroup in arrGroups. I assume I am getting this because I using arrGroups twice with different values.
arrGroups = Array("domain admins","SMS administrators")

 

Set WshShell = WScript.CreateObject("WScript.Shell")

strPrefix = Left(WSHShell.ExpandEnvironmentStrings("%computername%"), 4)

 

strDomain = "lab1"

For Each strGroup in arrGroups

        If strPrefix <> "USATL" Then

                Set objLocalGroup = GetObject("WinNT://./Administrators")

                Set objADGroup = GetObject("WinNT://" & strDomain & "/" & strGroup)

                objLocalGroup.Remove(objADGroup.ADsPath)
 

arrGroups = Array("USMEC_Domain Administrator","PC_TECH_USMEC")

 

Set WshShell = WScript.CreateObject("WScript.Shell")

strPrefix = Left(WSHShell.ExpandEnvironmentStrings("%computername%"), 4)

 

strDomain = "lab2"

For Each strGroup in arrGroups

        If strPrefix <> "USMEC" Then

                Set objLocalGroup = GetObject("WinNT://./Administrators")

                Set objADGroup = GetObject("WinNT://" & strDomain & "/" & strGroup)

                objLocalGroup.Remove(objADGroup.ADsPath)

                

        End If

Next

Open in new window

0
 
LVL 24

Expert Comment

by:purplepomegranite
ID: 21856875
I still don't understand your domain setup.  Are these for domains in separate forests, or domains within the same forest?  If they are separate domains, they will require separate scripts.  Ideally you'd probably want different scripts anyway, as a computer can only be a member of one domain - just deploy the relevant script in each domain.

Your for.. error is probably because you are missing a Next for the first loop.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:Lorrec
ID: 21857021
Thank you for the response.

They are domains within the same forest. I was hoping that I could get the script to see that the system is in one of the domains and perform cleanup. It would ignore the other domains because they did not match the criteria. That was why I originally had  If strPrefix <> "USATL"  and strDomain = "lab" Then. I thought with this present it would be ignored if it did not match and proceed to the next cleanup.

Basically, a system would only need to do cleanup on one and ignore the rest. Is not possible for it to ignore the other domain if they do not match?  When I setup the script with the strDomain = "lab", it would on the match but hang on the others.



0
 
LVL 24

Expert Comment

by:purplepomegranite
ID: 21857393
I could probably modify the script to actually query the machine as to its domain, and then run whichever was the appropriate routine.  I'll have a look and post back a little later.
0
 

Author Closing Comment

by:Lorrec
ID: 31469955
Thank you for the assistance. I decided to go with one for each domain.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we want to have a look at the directory attributes which are used by Microsoft to store the so called Security Identifiers (SID). These SIDs plays an important role in delegating and granting permissions and in authentication of trus…
This script will sweep a range of IP addresses (class c only, 255.255.255.0) and report to a log the version of office installed. What it does: 1.)      Creates log file in the directory the script is run from (if it doesn't already exist) 2.)      Sweep…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now