Solved

Login script adding domain users to built-in Administrators group on server

Posted on 2008-09-30
3
582 Views
Last Modified: 2013-12-05
I have inherited a login script that adds the domain users group to the local admins group on each desktop system. I understand the reasons for it as it is required by some of the legacy apps but when an administrator logs into one of the Domain Controllers the login script is run and then proceeds to add the domain users group to the local or built-in group administrators, basically making all domain users system administrators (not good).

Our primary domain controller is running Win2k Server and our backup domain controller is running Win2k3 Server.

I want to stop this script from running on the domain controllers (can this be done from group policy?) or have the script recognise when it is running on the domain controller and skip adding the domain users to the administrators group.

I have attached the snippet of code that is causing the problem...
strComputerName = WshNetwork.ComputerName
strDomainGroup = "Domain Users"
strNetBIOSDomain = WshNetwork.UserDomain
strUserName = WshNetwork.UserName
strLocalGroup = "Administrators"
Set objLocalGroup = GetObject("WinNT://" & strComputerName & "/" & strLocalGroup & ",group")
Set objDomainGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strDomainGroup & ",group")
Set objUserGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strUserName)
On Error Resume Next
wscript.sleep(1000)
objLocalGroup.Add(objDomainGroup.ADsPath)
On Error GoTo 0

Open in new window

0
Comment
Question by:excelsupport
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
whsum earned 500 total points
ID: 22603822
Just add;

strComputerName = WshNetwork.ComputerName
if  strComputerName = "<INSERT DC COMPUTERNAME>" then WScript.quit

This just stops the script from running if DC name matches
0
 

Author Comment

by:excelsupport
ID: 22603867
Thanks, that sounds good. A nice and simple solution.

I will try it and see how it works...
0
 

Author Comment

by:excelsupport
ID: 22603963
Thanks seems to be working.

Its pretty obvious now that I see the solution but sometimes you can't see the wood for the trees.

Anyway I have modified the script to skip the code section when it finds a DC name rather than quit altogether as some of the script still needs to be run to update some applications and drive mappings.

For anyone interested code snippet attached...
strComputerName = WshNetwork.ComputerName
Select Case UCase(strComputerName)
Case "DC01"
On Error Resume Next
'Do not add Domain Users to local administrators account on this computer as that would make all users Administrators
Case "DC02"
On Error Resume Next
'Do not add Domain Users to local administrators account on this computer as that would make all users Administrators
Case Default
On Error Resume Next
strDomainGroup = "Domain Users"
strNetBIOSDomain = WshNetwork.UserDomain
strUserName = WshNetwork.UserName
strLocalGroup = "Administrators"
Set objLocalGroup = GetObject("WinNT://" & strComputerName & "/" & strLocalGroup & ",group")
Set objDomainGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strDomainGroup & ",group")
Set objUserGroup = GetObject("WinNT://" & strNetBIOSDomain & "/" & strUserName)
On Error Resume Next
wscript.sleep(1000)
objLocalGroup.Add(objDomainGroup.ADsPath)
On Error GoTo 0
End Select

Open in new window

0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question