Solved

Login script adding domain users to built-in Administrators group on server

Posted on 2008-09-30
3
583 Views
Last Modified: 2013-12-05
I have inherited a login script that adds the domain users group to the local admins group on each desktop system. I understand the reasons for it as it is required by some of the legacy apps but when an administrator logs into one of the Domain Controllers the login script is run and then proceeds to add the domain users group to the local or built-in group administrators, basically making all domain users system administrators (not good).

Our primary domain controller is running Win2k Server and our backup domain controller is running Win2k3 Server.

I want to stop this script from running on the domain controllers (can this be done from group policy?) or have the script recognise when it is running on the domain controller and skip adding the domain users to the administrators group.

I have attached the snippet of code that is causing the problem...
strComputerName = WshNetwork.ComputerName
strDomainGroup = "Domain Users"
strNetBIOSDomain = WshNetwork.UserDomain
strUserName = WshNetwork.UserName
strLocalGroup = "Administrators"
Set objLocalGroup = GetObject("WinNT://" & strComputerName & "/" & strLocalGroup & ",group")
Set objDomainGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strDomainGroup & ",group")
Set objUserGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strUserName)
On Error Resume Next
wscript.sleep(1000)
objLocalGroup.Add(objDomainGroup.ADsPath)
On Error GoTo 0

Open in new window

0
Comment
Question by:excelsupport
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
whsum earned 500 total points
ID: 22603822
Just add;

strComputerName = WshNetwork.ComputerName
if  strComputerName = "<INSERT DC COMPUTERNAME>" then WScript.quit

This just stops the script from running if DC name matches
0
 

Author Comment

by:excelsupport
ID: 22603867
Thanks, that sounds good. A nice and simple solution.

I will try it and see how it works...
0
 

Author Comment

by:excelsupport
ID: 22603963
Thanks seems to be working.

Its pretty obvious now that I see the solution but sometimes you can't see the wood for the trees.

Anyway I have modified the script to skip the code section when it finds a DC name rather than quit altogether as some of the script still needs to be run to update some applications and drive mappings.

For anyone interested code snippet attached...
strComputerName = WshNetwork.ComputerName
Select Case UCase(strComputerName)
Case "DC01"
On Error Resume Next
'Do not add Domain Users to local administrators account on this computer as that would make all users Administrators
Case "DC02"
On Error Resume Next
'Do not add Domain Users to local administrators account on this computer as that would make all users Administrators
Case Default
On Error Resume Next
strDomainGroup = "Domain Users"
strNetBIOSDomain = WshNetwork.UserDomain
strUserName = WshNetwork.UserName
strLocalGroup = "Administrators"
Set objLocalGroup = GetObject("WinNT://" & strComputerName & "/" & strLocalGroup & ",group")
Set objDomainGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strDomainGroup & ",group")
Set objUserGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strUserName)
On Error Resume Next
wscript.sleep(1000)
objLocalGroup.Add(objDomainGroup.ADsPath)
On Error GoTo 0
End Select

Open in new window

0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question