Solved

Need a script to add users to Domain Administrators

Posted on 2009-05-19
12
775 Views
Last Modified: 2012-05-07
I am very new to VBS and find myself fumbling around trying to add users to the Domain Administrators group via a login script. I need to run a reg file and register a .dll and on our network this requires administrator privileges. I have searched here and a few other places and found good information, but it's not been specific enough for my limited knowledge.
So any help would be appreciated.
We run a Windows 2008 domain, users are on Windows XP Pro.
0
Comment
Question by:error131
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 3

Expert Comment

by:Cameron_S
ID: 24426994
What is the criteria? Do you want to type in a name? All users that have the specified login script are admins? All accounts within a specific OU? It probably would not be a good idea to make everyone a DA in a production network, but if it is a small private network that seems logical.

Generally you want to save login scripts for repeatable things - mapping network drives, reporting system information, etc etc. Not so much for setting permissions, which are hopefully a one-time shot.

0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 24427158
What does the REG file do?  Does this need to be entered into the current user registry profile?

You could create a scheduled task that runs when the user logs on and have it run as the admin account, have it run a BAT file (or VBS), call it somefile.bat with:

REG /IMPORT "somefile.reg"
REGSVR32 "somefile.dll"

And you could create the task remotely using SCHTASKS, like:

SCHTASKS /Create /F /S <computername> /U Administrator /P password /RU Administrator /RP password /SC ONLOGON /TN test /TR c:\somefile.bat

(Run "SCHTASKS /CREATE ?" to see what all this means)

Might need to do some experimenting but it should get the job done.  I don't know if it will add the REG file to the current user registry though.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 24427645
Hmmm, perhaps a better than elevating every users privileges would be to run a StartUp script to import a registry file, and register a DLL.

StartUp scripts run under the local computer SYSTEM account, where Logon scripts run under the security context of the user logging in, and so are usually limited.

StartUp scripts, are, however, limited in their network access, in that they can only access files in the NetLogon share of your domain controllers.  But this is usually not a problem, as long as you place your required files somewhere in that folder.

So, if you assign, say, the following script as a StartUp script, it should run the registry import, and register the DLL.  This will only work though, if the registry keys you're changing are HKEY_LOCAL_MACHINE keys.  If they are HKEY_CURRENT_USER keys, then those will not import to the target user.....so hopefully you're using HKEY_LOCAL_MACHINE keys....

Regards,

Rob.
Set objShell = CreateObject("WScript.Shell")
strLogonServer = objShell.ExpandEnvironmentStrings("%LOGONSERVER%")
' Set your registry file location here
strRegFile = strLogonServer & "\NetLogon\RegistryKeys.reg"
' Build the command that will be used to import the registry file
strCommand = "regedit /s """ & strRegFile & """"
' Run the command
objShell.Run strCommand, 0, True
' Set your dll path here
strDLLFile = "C:\Program Files\MyProgram\MyDLL.dll"
' Build the command that will be used to register the DLL file
strCommand = "regsvr32 /s """ & strDLLFile & """"
' Run the command
objShell.Run strCommand, 0, True

Open in new window

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:error131
ID: 24431700
The registry change is editing the HKCU. So I guess I am out of luck there. The reson for trying to do this via a login/startup script is because we have over 300 machines to be updated and I didn't really want to go to every machine to do it. After the update I want to change the security back. I can do this manually of course but if I can find a way to do it programaticly it would help me greatly as this is just one of the many changes that are going to be happening over the next few months.
0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 24431946
You could create a start-up script that adds the Domain Users group to the local Administrators group of each PC.  This would only allow all users full access to their own and each others PC but not servers and such.  Once the changes have been made you could create another script that removes it.  Much safer than adding to Domain Admins but still vulnerable.

0
 

Author Comment

by:error131
ID: 24432065
I've seen a few scripts that say somthing about adding to a local admin group, do you have any recomendations on how to go about that?
0
 
LVL 3

Accepted Solution

by:
Popeyediceclay earned 250 total points
ID: 24432097
This looks like it could work:
'VBScript to Add an Active Directory Global Group to a Local Group on a Computer
'
'Example: Add an Active Directory General Desktop Administrator Group to the Local
'         Administrator Group. this can be Used to provide Local Administrator rights
'         to AD Users.
'
'MyDomain is in the form e.g Menkaura.com
'Global Group is in form e.g Local Desktop Administrator User Rights
'
'Provided by http://www.Menkaura.com/Forum/index.php
'Visit us to see what else we have on offer.
 
 
Option Explicit
On Error Resume Next
 
'Define Variables
Dim Mydomain
Dim GlobalGroup
Dim oDomainGroup
Dim oLocalAdmGroup
Dim oNet
Dim sComputer
 
Set oNet = WScript.CreateObject("WScript.Network")
sComputer = oNet.ComputerName
 
 
MyDomain = "Place Your Domain Name Here"
GlobalGroup = "Local Desktop Administrator User Rights"
 
Set oDomainGroup = GetObject("WinNT://" & MyDomain & "/" & GlobalGroup & ",group")
Set oLocalAdmGroup = GetObject("WinNT://" & sComputer & "/Administrators,group")
 
oLocalAdmGroup.Add(oDomainGroup.AdsPath)
 
 
'Nullify Variables
Set Mydomain = Nothing
Set GlobalGroup = Nothing
Set oDomainGroup = Nothing
Set oLocalAdmGroup = Nothing
Set oNet = Nothing
Set sComputer = Nothing

Open in new window

0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 24432127
And the Scripting Guy always has some good methods:

http://www.microsoft.com/technet/scriptcenter/resources/qanda/sept05/hey0923.mspx
0
 

Author Comment

by:error131
ID: 24432258
I'll try it and get back to you. ASAP.
0
 
LVL 65

Assisted Solution

by:RobSampson
RobSampson earned 250 total points
ID: 24437493
You would expect though, that if your keys are HKCU, then they have permissions to edit those keys, but may still not be able to run Regedit (to import registry keys).  I have found on some of my locked down machines that even though you cannot Regedit, you *can* use the RegWrite method of the WScript.Shell object:

Set objShell = CreateObject("WScript.Shell")
objShell.RegWrite "HKCU\Software\Acme", "MyValue", "REG_SZ"

Reference:
http://msdn.microsoft.com/en-us/library/yfdfhz1b.aspx

So, what I'm thinking is that you can use a StartUp to register the DLL, that should work fine, but then also use a Login script, utilising the RegWrite method to create your values.

Regards,

Rob.
0
 

Author Closing Comment

by:error131
ID: 31583261
Both "RobSampson" and "Popeyediceclay" 's answers worked for me, ultimately I added the .dll via a startup script and then added the hkcu changes via a login script. but the script to add a group to the local administrators group worked as well.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 24446626
Great. Glad we could help.  Thanks for the grade.

Regards,

Rob.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question