?
Solved

Script to add local group

Posted on 2008-10-14
10
Medium Priority
?
332 Views
Last Modified: 2010-04-21
I need to add a domain group to the local administrators group of all computer in the domain.  I figured I could use the following command:

net localgroup "Administrators" "domain\groupname" /add

But, for some reason i cannot get this to apply to the computers in the domain.  Does anyone know a vbs or bat script that will allow me to apply this to all computers in the domain?
0
Comment
Question by:frevere
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 7

Expert Comment

by:Hubasan
ID: 22713004
In order for me to help you do this right, as I already have VBScript written for this, I need to you tell me couple of things so that we do this the safe way.

1) Are you going to add this domain group to local admin group of ALL domain computers, including the servers? Or are you going to add this Domain Group to local administrators group of Workstations ONLY?
2) if question number 1 is workstations only then what OS are those workstations running and what service pack?


0
 
LVL 2

Author Comment

by:frevere
ID: 22713186
Thanks Hubasan.  To answer your questions:  1) I will be adding this domain group to ALL computers in the domain.  At this point a check of the OS is really not needed but we are running Server 2003 SP2 and all workstations are XP SP2.
0
 
LVL 2

Author Comment

by:frevere
ID: 22713267
What is odd and maybe you can help is that I researched this issue and have been trying to use WMI to make the changes but I get a ReturnValue=9, and I do not know what object is invalid.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 7

Accepted Solution

by:
Hubasan earned 500 total points
ID: 22713549
Ok here is the script, but please read this through the end so that you know how to apply it successfully.

Here is how this script works:
1) Script will user ROOTDSE to get your domain name and connect to it's Directory
2) Will scan every single computer in your domain, ping it for availability and if available, add domain group of your choosing to Local Admin group of that PC.
3) It will create 3 different log files in the same folder you execute the script from, with following names
a) Results.log
b) PCsNotOnline.log
c) PCsDontExist.log

First log files will contain computer names of the PC where domain group was added to the local admin group.
Second will give you computer names of PC that were not ONLINE at that time script ran.
Third will give you computer names that your DOMAIN still has but are not IN DNS anymore (Very common occurrence in large corporations like my own.) This simply means those computers don't exist on your domain anymore.
4) Since you are running this script for the first time in your Domain, I have placed a safety mechanism that will prompt you "Do you want to continue? after EACH computer that was processed"
You can remove this safety by deleting following lines:

==============================================================================
  sRes = oWS.Popup("Computer: " & sComputer & " was processed last, do you want to continue?", , cTitle, vbYesNo+vbInformation)
  If sRes = vbno Then
        oWS.Popup "User canceled script, Exiting!", , cTitle, vbInformation
        WScript.Quit
  End If
===============================================================================

I would URGE you to leave it in place, and process one computer at the time for now just to see how it works and then connect to that PC and make sure that Domain Group was added to the Local Admin group as was intended and then when you see that couple of them work fine, you can remove the safety. and just run the script without it.

In the script code you HAVE TO change a variable called sDomainGroup  to reflect your domain group that you wish to add to Local Admin group of your PC's.

That's about it.

If you have any questions please feel free to ask.
On Error Resume Next
 
Const ADS_SCOPE_SUBTREE = 2
 
Const cTitle = "Add Domain group to Local group of All AD Computers"
 
Set oNet = CreateObject("wscript.network")
Set oWS = CreateObject("wscript.shell")
Set oFS = Createobject("Scripting.FileSystemobject")
 
sScriptName = WScript.ScriptName
sScriptPath = WScript.ScriptFullName
sLog = Replace(sScriptName, ".vbs", ".log")
sLogFile = Replace(sScriptPath, sScriptName, "Results.log")
sPCsNotOnline = Replace(sScriptPath, sScriptName, "PCsNotOnline.log")
sPCsDontExist = Replace(sScriptPath, sScriptName, "PCsDontExist.log")
 
Set oLogFile = oFS.CreateTextFile(sLogFile, True)
Set oPCsNotOnline = oFS.CreateTextFile(sPCsNotOnline, True)
Set oPCsDontExist = oFS.CreateTextFile(sPCsDontExist, True)
 
sDomain = oNet.UserDomain
sDomainGroup = "Put your Domain Group here"
sLocalGroup = "Administrators" ' I presume you want to use Local Admin group, if not change this as well.
 
Set oRootDSE = GetObject("LDAP://rootDSE")
sADsPath = "LDAP://" & oRootDSE.Get("defaultNamingContext")
Set oDomain = GetObject(sADsPath)
 
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Open "Provider=ADsDSOObject;"
 
Set oCommand = CreateObject("ADODB.Command")
oCommand.ActiveConnection = oConnection
 
Set oCommand.ActiveConnection = oConnection
oCommand.CommandText = _
    "Select Name, Location, operatingSystemVersion from " & _
        "'" & sADsPath & "' where objectClass='computer'"
oCommand.Properties("Page Size") = 5000
oCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
Set oRecordSet = oCommand.Execute
 
 
oRecordSet.MoveFirst
 
Do Until oRecordSet.EOF
	sComputer = oRecordSet.Fields("Name").Value
	sComputer = UCase(sComputer)
	sIsOnline = Ping(sComputer)
 
	If IsNull(sIsOnline) Then
		oPCsDontExist.WriteLine sComputer
	ElseIf sIsOnline = 11010 Then
		oPCsNotOnline.WriteLine sComputer
	ElseIf sIsOnline = 0 Then
	
		Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")
		Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")
		
		oLocalGroup.Add(oDomainGroup.AdsPath)		
		oLogFile.WriteLine sComputer		
  End If
  
  sRes = oWS.Popup("Computer: " & sComputer & " was processed last, do you want to continue?", , cTitle, vbYesNo+vbInformation)
  If sRes = vbno Then
  	oWS.Popup "User canceled script, Exiting!", , cTitle, vbInformation
  	WScript.Quit
  End If
  
  oRecordSet.MoveNext
Loop
 
 
 
 
Function Ping(sComputer)
Set objWMIService = GetObject(_ 
    "winmgmts:\\.\root\cimv2")
Set colPings = objWMIService.ExecQuery _
    ("Select * From Win32_PingStatus where Address = '" & sComputer & "'")
 
For Each objStatus in colPings
	Ping = objStatus.StatusCode
Next
 
'StatusCode
'    Data type: uint32
'    Access type: Read-only
 
'    Ping command status codes.
'    Value 	Meaning
 
'    0    Success
'    Null			Could not find host
'    11001    Buffer Too Small
'    11002    Destination Net Unreachable
'    11003    Destination Host Unreachable
'    11004    Destination Protocol Unreachable
'    11005    Destination Port Unreachable
'    11006    No Resources
'    11007    Bad Option
'    11008    Hardware Error
'    11009    Packet Too Big
'    11010    Request Timed Out
'    11011    Bad Request
'    11012    Bad Route
'    11013    TimeToLive Expired Transit
'    11014    TimeToLive Expired Reassembly
'    11015    Parameter Problem
'    11016    Source Quench
'    11017    Option Too Big
'    11018    Bad Destination
'    11032    Negotiating IPSEC
'    11050    General Failure
End Function

Open in new window

0
 
LVL 7

Expert Comment

by:Hubasan
ID: 22713702
Hi frevre,

This script that I wrote for you is not using WMI since I also had some issues with it. Here I'm simply using ROOTDSE for domain, ADODB for connection, and WinNT provider instead of WMI to add Domain Group to Local computer's group.
Adding of the actual Domain Group to Local Group is basically three lines, but there is a lot of support code to facilitate processing ALL DOMAIN computers, pinging them, proper information flow and logging.
It's really not that complicated at all once you know exactly what you want. So if you want to change anything and are not sure how, don't hesitate to ask. That's why were are here. :-)
0
 
LVL 2

Author Comment

by:frevere
ID: 22713803
Before running this against all computers in the domain, I would like to run this script against a couple of test servers and workstations.  How do I specify a specific machinename or OU?
0
 
LVL 2

Author Comment

by:frevere
ID: 22713879
In fact, I should ask is there a way for your script to read a txt file with the test computers listed and then run the process against only those computers?
0
 
LVL 7

Expert Comment

by:Hubasan
ID: 22713956
You can specify a computer name in the following line:

sComputer = oRecordSet.Fields("Name").Value

Instead of "oRecordSet.Fileds("Name").Value, just put under double quotes the computer you want to connect to, like this:

sComputer = "MyServer01"

Script doesn't require you to specify the OU since it connects to the ROOT of your domain, which means that it will find all computer object that are within 2 sub levels of the root.
0
 
LVL 2

Author Closing Comment

by:frevere
ID: 31505879
Great script.....thanks.   Added the group with no problems.
0
 
LVL 7

Expert Comment

by:Hubasan
ID: 22714856
No problem, glad to help.

If you still want to read computer names from the Text file and then work on only those computers, you can use the following code:

This would be just basic script to add Domain Group to Local group on each of the computers that are in the text file, instead of probing your Domain for computer names.

Just again change sDomainGroup and path to your txt file that contains Computer Names
Const ForReading = 1
 
Set oFS = CreateObject("Scripting.FileSystemObject")
Set oNet = CreateObject("wscript.network")
 
sDomain = oNet.UserDomain
sDomainGroup = "Put your Domain Group here"
sLocalGroup = "Administrators"
 
Set oTextFile = oFS.OpenTextFile("C:\PathToYourTextFileWithComputerNames.txt", ForReading)
 
Do While oTextFile.AtEndOfStream <> True
	sComputer = oTextFile.ReadLine
	
	Set oDomainGroup = GetObject("WinNT://" & sDomain & "/" & sDomainGroup & ",group")
	Set oLocalGroup = GetObject("WinNT://" & sComputer & "/" & sLocalGroup & ",group")
	
	oLocalGroup.Add(oDomainGroup.AdsPath)
 
Loop

Open in new window

0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the years I have built up my own little library of code snippets that I refer to when programming or writing a script.  Many of these have come from the web or adaptations from snippets I find on the Web.  Periodically I add to them when I come…
How to remove superseded packages in windows w60 or w61 installation media (.wim) or online system to prevent unnecessary space. w60 means Windows Vista or Windows Server 2008. w61 means Windows 7 or Windows Server 2008 R2. There are various …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question