Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Login script adding domain users to built-in Administrators group on server

Posted on 2008-09-30
3
Medium Priority
?
588 Views
Last Modified: 2013-12-05
I have inherited a login script that adds the domain users group to the local admins group on each desktop system. I understand the reasons for it as it is required by some of the legacy apps but when an administrator logs into one of the Domain Controllers the login script is run and then proceeds to add the domain users group to the local or built-in group administrators, basically making all domain users system administrators (not good).

Our primary domain controller is running Win2k Server and our backup domain controller is running Win2k3 Server.

I want to stop this script from running on the domain controllers (can this be done from group policy?) or have the script recognise when it is running on the domain controller and skip adding the domain users to the administrators group.

I have attached the snippet of code that is causing the problem...
strComputerName = WshNetwork.ComputerName
strDomainGroup = "Domain Users"
strNetBIOSDomain = WshNetwork.UserDomain
strUserName = WshNetwork.UserName
strLocalGroup = "Administrators"
Set objLocalGroup = GetObject("WinNT://" & strComputerName & "/" & strLocalGroup & ",group")
Set objDomainGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strDomainGroup & ",group")
Set objUserGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strUserName)
On Error Resume Next
wscript.sleep(1000)
objLocalGroup.Add(objDomainGroup.ADsPath)
On Error GoTo 0

Open in new window

0
Comment
Question by:excelsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
whsum earned 1500 total points
ID: 22603822
Just add;

strComputerName = WshNetwork.ComputerName
if  strComputerName = "<INSERT DC COMPUTERNAME>" then WScript.quit

This just stops the script from running if DC name matches
0
 

Author Comment

by:excelsupport
ID: 22603867
Thanks, that sounds good. A nice and simple solution.

I will try it and see how it works...
0
 

Author Comment

by:excelsupport
ID: 22603963
Thanks seems to be working.

Its pretty obvious now that I see the solution but sometimes you can't see the wood for the trees.

Anyway I have modified the script to skip the code section when it finds a DC name rather than quit altogether as some of the script still needs to be run to update some applications and drive mappings.

For anyone interested code snippet attached...
strComputerName = WshNetwork.ComputerName
Select Case UCase(strComputerName)
Case "DC01"
On Error Resume Next
'Do not add Domain Users to local administrators account on this computer as that would make all users Administrators
Case "DC02"
On Error Resume Next
'Do not add Domain Users to local administrators account on this computer as that would make all users Administrators
Case Default
On Error Resume Next
strDomainGroup = "Domain Users"
strNetBIOSDomain = WshNetwork.UserDomain
strUserName = WshNetwork.UserName
strLocalGroup = "Administrators"
Set objLocalGroup = GetObject("WinNT://" & strComputerName & "/" & strLocalGroup & ",group")
Set objDomainGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strDomainGroup & ",group")
Set objUserGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strUserName)
On Error Resume Next
wscript.sleep(1000)
objLocalGroup.Add(objDomainGroup.ADsPath)
On Error GoTo 0
End Select

Open in new window

0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question