?
Solved

VB Script to add computer account to local group

Posted on 2008-11-03
18
Medium Priority
?
1,509 Views
Last Modified: 2012-06-27
I am trying to add a domain computer account to the local administrators group.  When I run this script I get the error "A member could not be added to or removed from the local group because the member does not exist"  

I know I am getting the computer object because If i do a msgbox objcomputer.adsPath I get a result.  Can anyone help me out.  
set wshnetwork = CreateObject("Wscript.Network")
 
computer = wshnetwork.Computername
strDomain = wshnetwork.UserDomain
strGroup = "Administrators" 
 
Set objGroup = GetObject("WinNT://" & Computer & "/Administrators,group") 
Set objComputer = GetObject("WinNT://" & strDomain & "/" & "mlsintallcmcs" & ",computer") 
objGroup.Add(objComputer.ADsPath)

Open in new window

0
Comment
Question by:ndavisAA
  • 9
  • 9
18 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 22870761
Is mlsintallcmcs a domain account?

Try this version:
set wshnetwork = CreateObject("Wscript.Network")
 
computer = wshnetwork.Computername
strDomain = wshnetwork.UserDomain
strGroup = "Administrators" 
 
Set objGroup = GetObject("WinNT://" & Computer & "/" & strGroup) 
Set objComputer = GetObject("WinNT://" & strDomain & "/" & "mlsintallcmcs") 
objGroup.Add(objComputer.ADsPath)

Open in new window

0
 

Author Comment

by:ndavisAA
ID: 22871403
sirbounty,  Well its cleaner, but I still get the same error 'A member could not...".  

mlsintallcmcs is the "domain computer account" that I need to add to the local admin group of every computer.  I can't say I really like much about that, but its what the guy at microsoft said to do... Whatever...
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22871827
What do you mean by domain 'computer' account?
The computer's Admin account?
0
[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

 

Author Comment

by:ndavisAA
ID: 22873371
No, that would make sence.  

I was on the phone with the guy from microsoft today and he confirmed that we were not adding the service account.  We are adding the computer account ("mlsintallcmcs") to the local admin of every computer on the domain.  That make absolutely no sense to me, but if thats what they are saying... I will add the computer account until we see if it works or not.  And yes making the computer a domain admin would work too, but they advised against that.  *shrug*
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22873470
I've been doing this for many years - Microsoft MVP for the past 2...unless I'm not putting 2 and 2 together for some strange reason, it makes no sense to me either.  You see - there are domain user accounts, and other domain objects - even computer objects - in Active Directory, but I've not heard of adding a computer object (technically not an account) to any kind of group (OU maybe...)...

What about trying it manually as a test - either we'll both learn something, or we'll find the MS tech has too many open cases and maybe needs a bit more sleep at night. :^)
0
 

Author Comment

by:ndavisAA
ID: 22876613
I have only been in the IT world for 6 years and have never had to add a computer to the local admins.  It just doesn't make any sense. It is for configuration manager.  I am guessing that maybe it runs as the 'local system' account and giving that computer admin rights on other machines will allow configuration manager to do what it needs to do...  *shrug*

But anyway, any luck on the code?  
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22876836
I can't devise any code for something that won't work...have you tried adding the computer account manually?  If that can be accomplished, then it's  probably scriptable, but no sense in trying to devise a script for something that can't be done...
0
 

Author Comment

by:ndavisAA
ID: 22877171
Yeah, i can add the computer account to the local admins manually.  So now we just need to figure out how to script it.  Also they tried to push the conf manager client to my machine, and that worked.  So maybe this will work.  

(Note: there was some editing to below but only to hide the other accounts that are local admins.)
H:\>net localgroup  administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/dom

Members
-------------------------------------------------------------------------------
CORPORATE\Domain Admins
CORPORATE\MLSINTALLCMCS$
The command completed successfully.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22879580
In that case, I believe you'll have to use the LDAP provider, not WinNT...
Something like the following - although not entirely correct - you'll need to confirm the object reference to that object:
set wshnetwork = CreateObject("Wscript.Network")
 
computer = wshnetwork.Computername
strDomain = wshnetwork.UserDomain
strGroup = "Administrators" 
strPCAcct = "LDAP://CN=mlsinstallcmcs,dc=corporate,dc=com" 
Set objGroup = GetObject("WinNT://" & Computer & "/" & strGroup) 
Set objComputer = GetObject(strPCAcct) 
objGroup.Add(objComputer.ADsPath)

Open in new window

0
 

Author Comment

by:ndavisAA
ID: 22879913
Well I got a new error.

Now I am getting 'An Invalid Directory pathname was passed.'

I dumped a quick msgbox objComputer.ADsPath  into the code to check to make sure I got the computer object, and I did.  
set wshnetwork = CreateObject("Wscript.Network")
 
computer = wshnetwork.Computername
strDomain = wshnetwork.UserDomain
strGroup = "Administrators" 
strPCAcct = "LDAP://CN=MLSINTALLCMCS,CN=Computers,DC=CORPORATE,DC=GHRSYS,DC=AD" 
Set objGroup = GetObject("WinNT://" & Computer & "/" & strGroup) 
Set objComputer = GetObject(strPCAcct) 
msgbox objComputer.ADsPath 'Returns the LDAP Path, so it worked
objGroup.Add(objComputer.ADsPath)

Open in new window

0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22879957
Finally got to a point to test this and I can't even do it manually... : \
I did notice one showing above has a $ on the end, the other does not - could that be a problem?

Otherwise, what if you try it from the commandline:

net localgroup administrators /add MLSInstallCMCs.Corporate.ghrsys.ad

any luck there?
0
 

Author Comment

by:ndavisAA
ID: 22880004
The $ is part of the SAMID of the computer object.  I am not exactly sure if that is a problem or not...  

Yes i can do a net local..... that does work.  But i don't know how to write a batch file and have it run on every computer.  The login script will... at best, kinda work. Any thoughts?
0
 
LVL 67

Accepted Solution

by:
sirbounty earned 1000 total points
ID: 22880048
Hmmm - maybe something like this (with psexec - from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx)


for /f %%a in (c:\computers.txt) do (
  psexec \\%%a net localgroup administrators /add MLSInstallCMCs.Corporate.ghrsys.ad
)


Run that from a command station with an Admin account - populate computers.txt with the PCs to change...
0
 

Author Comment

by:ndavisAA
ID: 22880148
is that something expers-exchange is doing... I don't recognize the %% command.  What does it do?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22880192
%%a (percent-percent 'a') is the placeholder variable for each loop pass (equivalent to each computer name...)
0
 

Author Closing Comment

by:ndavisAA
ID: 31512847
Well it wasn't exactly what I was looking for, but the bat file still worked.  Thanks for the help.  BTW it looks like adding the computer account is working, Who knew...
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 22890786
What was the original problem?  Just curious...never heard of that - nor of it being a resolution for anything, obviously...
0
 

Author Comment

by:ndavisAA
ID: 22897345
We are installing configuration manager.  We needed some help getting configuration manager installed/operational so we callled microsoft.  That is what we were told to do.
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an addendum to the following article: Acitve Directory based Outlook Signature (http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_24950055.html) The script is fine, and works in normal client-server domains…
Hello again, all.  For those of you that have been following along, you'll know that this is my third article on this topic (though it is not Part III).  This article is sort of remedial, and probably the topic with which I should have started the s…
Planning to migrate your EDB file(s) to a new or an existing Outlook PST file? This video will guide you how to convert EDB file(s) to PST. Besides this, it also describes, how one can easily search any item(s) from multiple folders or mailboxes…
SQL Database Recovery Software repairs the MDF & NDF Files, corrupted due to hardware related issues or software related errors. Provides preview of recovered database objects and allows saving in either MSSQL, CSV, HTML or XLS format. Ensures recov…
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question