Solved

Login script adding domain users to built-in Administrators group on server

Posted on 2008-09-30
3
585 Views
Last Modified: 2013-12-05
I have inherited a login script that adds the domain users group to the local admins group on each desktop system. I understand the reasons for it as it is required by some of the legacy apps but when an administrator logs into one of the Domain Controllers the login script is run and then proceeds to add the domain users group to the local or built-in group administrators, basically making all domain users system administrators (not good).

Our primary domain controller is running Win2k Server and our backup domain controller is running Win2k3 Server.

I want to stop this script from running on the domain controllers (can this be done from group policy?) or have the script recognise when it is running on the domain controller and skip adding the domain users to the administrators group.

I have attached the snippet of code that is causing the problem...
strComputerName = WshNetwork.ComputerName
strDomainGroup = "Domain Users"
strNetBIOSDomain = WshNetwork.UserDomain
strUserName = WshNetwork.UserName
strLocalGroup = "Administrators"
Set objLocalGroup = GetObject("WinNT://" & strComputerName & "/" & strLocalGroup & ",group")
Set objDomainGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strDomainGroup & ",group")
Set objUserGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strUserName)
On Error Resume Next
wscript.sleep(1000)
objLocalGroup.Add(objDomainGroup.ADsPath)
On Error GoTo 0

Open in new window

0
Comment
Question by:excelsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
whsum earned 500 total points
ID: 22603822
Just add;

strComputerName = WshNetwork.ComputerName
if  strComputerName = "<INSERT DC COMPUTERNAME>" then WScript.quit

This just stops the script from running if DC name matches
0
 

Author Comment

by:excelsupport
ID: 22603867
Thanks, that sounds good. A nice and simple solution.

I will try it and see how it works...
0
 

Author Comment

by:excelsupport
ID: 22603963
Thanks seems to be working.

Its pretty obvious now that I see the solution but sometimes you can't see the wood for the trees.

Anyway I have modified the script to skip the code section when it finds a DC name rather than quit altogether as some of the script still needs to be run to update some applications and drive mappings.

For anyone interested code snippet attached...
strComputerName = WshNetwork.ComputerName
Select Case UCase(strComputerName)
Case "DC01"
On Error Resume Next
'Do not add Domain Users to local administrators account on this computer as that would make all users Administrators
Case "DC02"
On Error Resume Next
'Do not add Domain Users to local administrators account on this computer as that would make all users Administrators
Case Default
On Error Resume Next
strDomainGroup = "Domain Users"
strNetBIOSDomain = WshNetwork.UserDomain
strUserName = WshNetwork.UserName
strLocalGroup = "Administrators"
Set objLocalGroup = GetObject("WinNT://" & strComputerName & "/" & strLocalGroup & ",group")
Set objDomainGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strDomainGroup & ",group")
Set objUserGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strUserName)
On Error Resume Next
wscript.sleep(1000)
objLocalGroup.Add(objDomainGroup.ADsPath)
On Error GoTo 0
End Select

Open in new window

0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question