Solved

Login script adding domain users to built-in Administrators group on server

Posted on 2008-09-30
3
580 Views
Last Modified: 2013-12-05
I have inherited a login script that adds the domain users group to the local admins group on each desktop system. I understand the reasons for it as it is required by some of the legacy apps but when an administrator logs into one of the Domain Controllers the login script is run and then proceeds to add the domain users group to the local or built-in group administrators, basically making all domain users system administrators (not good).

Our primary domain controller is running Win2k Server and our backup domain controller is running Win2k3 Server.

I want to stop this script from running on the domain controllers (can this be done from group policy?) or have the script recognise when it is running on the domain controller and skip adding the domain users to the administrators group.

I have attached the snippet of code that is causing the problem...
strComputerName = WshNetwork.ComputerName

strDomainGroup = "Domain Users"

strNetBIOSDomain = WshNetwork.UserDomain

strUserName = WshNetwork.UserName

strLocalGroup = "Administrators"

Set objLocalGroup = GetObject("WinNT://" & strComputerName & "/" & strLocalGroup & ",group")

Set objDomainGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strDomainGroup & ",group")

Set objUserGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strUserName)

On Error Resume Next

wscript.sleep(1000)

objLocalGroup.Add(objDomainGroup.ADsPath)

On Error GoTo 0

Open in new window

0
Comment
Question by:excelsupport
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
whsum earned 500 total points
ID: 22603822
Just add;

strComputerName = WshNetwork.ComputerName
if  strComputerName = "<INSERT DC COMPUTERNAME>" then WScript.quit

This just stops the script from running if DC name matches
0
 

Author Comment

by:excelsupport
ID: 22603867
Thanks, that sounds good. A nice and simple solution.

I will try it and see how it works...
0
 

Author Comment

by:excelsupport
ID: 22603963
Thanks seems to be working.

Its pretty obvious now that I see the solution but sometimes you can't see the wood for the trees.

Anyway I have modified the script to skip the code section when it finds a DC name rather than quit altogether as some of the script still needs to be run to update some applications and drive mappings.

For anyone interested code snippet attached...
strComputerName = WshNetwork.ComputerName

Select Case UCase(strComputerName)

Case "DC01"

On Error Resume Next

'Do not add Domain Users to local administrators account on this computer as that would make all users Administrators

Case "DC02"

On Error Resume Next

'Do not add Domain Users to local administrators account on this computer as that would make all users Administrators

Case Default

On Error Resume Next

strDomainGroup = "Domain Users"

strNetBIOSDomain = WshNetwork.UserDomain

strUserName = WshNetwork.UserName

strLocalGroup = "Administrators"

Set objLocalGroup = GetObject("WinNT://" & strComputerName & "/" & strLocalGroup & ",group")

Set objDomainGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strDomainGroup & ",group")

Set objUserGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strUserName)

On Error Resume Next

wscript.sleep(1000)

objLocalGroup.Add(objDomainGroup.ADsPath)

On Error GoTo 0

End Select

Open in new window

0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now