I have inherited a login script that adds the domain users group to the local admins group on each desktop system. I understand the reasons for it as it is required by some of the legacy apps but when an administrator logs into one of the Domain Controllers the login script is run and then proceeds to add the domain users group to the local or built-in group administrators, basically making all domain users system administrators (not good).
Our primary domain controller is running Win2k Server and our backup domain controller is running Win2k3 Server.
I want to stop this script from running on the domain controllers (can this be done from group policy?) or have the script recognise when it is running on the domain controller and skip adding the domain users to the administrators group.
I have attached the snippet of code that is causing the problem...
strComputerName = WshNetwork.ComputerName
strDomainGroup = "Domain Users"
strNetBIOSDomain = WshNetwork.UserDomain
strUserName = WshNetwork.UserName
strLocalGroup = "Administrators"
Set objLocalGroup = GetObject("WinNT://" & strComputerName & "/" & strLocalGroup & ",group")
Set objDomainGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strDomainGroup & ",group")
Set objUserGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strUserName)
On Error Resume Next
On Error GoTo 0