ndavisAA
asked on
VB Script to add computer account to local group
I am trying to add a domain computer account to the local administrators group. When I run this script I get the error "A member could not be added to or removed from the local group because the member does not exist"
I know I am getting the computer object because If i do a msgbox objcomputer.adsPath I get a result. Can anyone help me out.
I know I am getting the computer object because If i do a msgbox objcomputer.adsPath I get a result. Can anyone help me out.
set wshnetwork = CreateObject("Wscript.Network")
computer = wshnetwork.Computername
strDomain = wshnetwork.UserDomain
strGroup = "Administrators"
Set objGroup = GetObject("WinNT://" & Computer & "/Administrators,group")
Set objComputer = GetObject("WinNT://" & strDomain & "/" & "mlsintallcmcs" & ",computer")
objGroup.Add(objComputer.ADsPath)
ASKER
sirbounty, Well its cleaner, but I still get the same error 'A member could not...".
mlsintallcmcs is the "domain computer account" that I need to add to the local admin group of every computer. I can't say I really like much about that, but its what the guy at microsoft said to do... Whatever...
mlsintallcmcs is the "domain computer account" that I need to add to the local admin group of every computer. I can't say I really like much about that, but its what the guy at microsoft said to do... Whatever...
What do you mean by domain 'computer' account?
The computer's Admin account?
The computer's Admin account?
ASKER
No, that would make sence.
I was on the phone with the guy from microsoft today and he confirmed that we were not adding the service account. We are adding the computer account ("mlsintallcmcs") to the local admin of every computer on the domain. That make absolutely no sense to me, but if thats what they are saying... I will add the computer account until we see if it works or not. And yes making the computer a domain admin would work too, but they advised against that. *shrug*
I was on the phone with the guy from microsoft today and he confirmed that we were not adding the service account. We are adding the computer account ("mlsintallcmcs") to the local admin of every computer on the domain. That make absolutely no sense to me, but if thats what they are saying... I will add the computer account until we see if it works or not. And yes making the computer a domain admin would work too, but they advised against that. *shrug*
I've been doing this for many years - Microsoft MVP for the past 2...unless I'm not putting 2 and 2 together for some strange reason, it makes no sense to me either. You see - there are domain user accounts, and other domain objects - even computer objects - in Active Directory, but I've not heard of adding a computer object (technically not an account) to any kind of group (OU maybe...)...
What about trying it manually as a test - either we'll both learn something, or we'll find the MS tech has too many open cases and maybe needs a bit more sleep at night. :^)
What about trying it manually as a test - either we'll both learn something, or we'll find the MS tech has too many open cases and maybe needs a bit more sleep at night. :^)
ASKER
I have only been in the IT world for 6 years and have never had to add a computer to the local admins. It just doesn't make any sense. It is for configuration manager. I am guessing that maybe it runs as the 'local system' account and giving that computer admin rights on other machines will allow configuration manager to do what it needs to do... *shrug*
But anyway, any luck on the code?
But anyway, any luck on the code?
I can't devise any code for something that won't work...have you tried adding the computer account manually? If that can be accomplished, then it's probably scriptable, but no sense in trying to devise a script for something that can't be done...
ASKER
Yeah, i can add the computer account to the local admins manually. So now we just need to figure out how to script it. Also they tried to push the conf manager client to my machine, and that worked. So maybe this will work.
(Note: there was some editing to below but only to hide the other accounts that are local admins.)
H:\>net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/dom
Members
--------------------------
CORPORATE\Domain Admins
CORPORATE\MLSINTALLCMCS$
The command completed successfully.
(Note: there was some editing to below but only to hide the other accounts that are local admins.)
H:\>net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/dom
Members
--------------------------
CORPORATE\Domain Admins
CORPORATE\MLSINTALLCMCS$
The command completed successfully.
In that case, I believe you'll have to use the LDAP provider, not WinNT...
Something like the following - although not entirely correct - you'll need to confirm the object reference to that object:
Something like the following - although not entirely correct - you'll need to confirm the object reference to that object:
set wshnetwork = CreateObject("Wscript.Network")
computer = wshnetwork.Computername
strDomain = wshnetwork.UserDomain
strGroup = "Administrators"
strPCAcct = "LDAP://CN=mlsinstallcmcs,dc=corporate,dc=com"
Set objGroup = GetObject("WinNT://" & Computer & "/" & strGroup)
Set objComputer = GetObject(strPCAcct)
objGroup.Add(objComputer.ADsPath)
ASKER
Well I got a new error.
Now I am getting 'An Invalid Directory pathname was passed.'
I dumped a quick msgbox objComputer.ADsPath into the code to check to make sure I got the computer object, and I did.
Now I am getting 'An Invalid Directory pathname was passed.'
I dumped a quick msgbox objComputer.ADsPath into the code to check to make sure I got the computer object, and I did.
set wshnetwork = CreateObject("Wscript.Network")
computer = wshnetwork.Computername
strDomain = wshnetwork.UserDomain
strGroup = "Administrators"
strPCAcct = "LDAP://CN=MLSINTALLCMCS,CN=Computers,DC=CORPORATE,DC=GHRSYS,DC=AD"
Set objGroup = GetObject("WinNT://" & Computer & "/" & strGroup)
Set objComputer = GetObject(strPCAcct)
msgbox objComputer.ADsPath 'Returns the LDAP Path, so it worked
objGroup.Add(objComputer.ADsPath)
Finally got to a point to test this and I can't even do it manually... : \
I did notice one showing above has a $ on the end, the other does not - could that be a problem?
Otherwise, what if you try it from the commandline:
net localgroup administrators /add MLSInstallCMCs.Corporate.g
any luck there?
I did notice one showing above has a $ on the end, the other does not - could that be a problem?
Otherwise, what if you try it from the commandline:
net localgroup administrators /add MLSInstallCMCs.Corporate.g
any luck there?
ASKER
The $ is part of the SAMID of the computer object. I am not exactly sure if that is a problem or not...
Yes i can do a net local..... that does work. But i don't know how to write a batch file and have it run on every computer. The login script will... at best, kinda work. Any thoughts?
Yes i can do a net local..... that does work. But i don't know how to write a batch file and have it run on every computer. The login script will... at best, kinda work. Any thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
is that something expers-exchange is doing... I don't recognize the %% command. What does it do?
%%a (percent-percent 'a') is the placeholder variable for each loop pass (equivalent to each computer name...)
ASKER
Well it wasn't exactly what I was looking for, but the bat file still worked. Thanks for the help. BTW it looks like adding the computer account is working, Who knew...
What was the original problem? Just curious...never heard of that - nor of it being a resolution for anything, obviously...
ASKER
We are installing configuration manager. We needed some help getting configuration manager installed/operational so we callled microsoft. That is what we were told to do.
Try this version:
Open in new window