Solved

Need a script to add users to Domain Administrators

Posted on 2009-05-19
12
772 Views
Last Modified: 2012-05-07
I am very new to VBS and find myself fumbling around trying to add users to the Domain Administrators group via a login script. I need to run a reg file and register a .dll and on our network this requires administrator privileges. I have searched here and a few other places and found good information, but it's not been specific enough for my limited knowledge.
So any help would be appreciated.
We run a Windows 2008 domain, users are on Windows XP Pro.
0
Comment
Question by:error131
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 3

Expert Comment

by:Cameron_S
Comment Utility
What is the criteria? Do you want to type in a name? All users that have the specified login script are admins? All accounts within a specific OU? It probably would not be a good idea to make everyone a DA in a production network, but if it is a small private network that seems logical.

Generally you want to save login scripts for repeatable things - mapping network drives, reporting system information, etc etc. Not so much for setting permissions, which are hopefully a one-time shot.

0
 
LVL 3

Expert Comment

by:Popeyediceclay
Comment Utility
What does the REG file do?  Does this need to be entered into the current user registry profile?

You could create a scheduled task that runs when the user logs on and have it run as the admin account, have it run a BAT file (or VBS), call it somefile.bat with:

REG /IMPORT "somefile.reg"
REGSVR32 "somefile.dll"

And you could create the task remotely using SCHTASKS, like:

SCHTASKS /Create /F /S <computername> /U Administrator /P password /RU Administrator /RP password /SC ONLOGON /TN test /TR c:\somefile.bat

(Run "SCHTASKS /CREATE ?" to see what all this means)

Might need to do some experimenting but it should get the job done.  I don't know if it will add the REG file to the current user registry though.
0
 
LVL 65

Expert Comment

by:RobSampson
Comment Utility
Hmmm, perhaps a better than elevating every users privileges would be to run a StartUp script to import a registry file, and register a DLL.

StartUp scripts run under the local computer SYSTEM account, where Logon scripts run under the security context of the user logging in, and so are usually limited.

StartUp scripts, are, however, limited in their network access, in that they can only access files in the NetLogon share of your domain controllers.  But this is usually not a problem, as long as you place your required files somewhere in that folder.

So, if you assign, say, the following script as a StartUp script, it should run the registry import, and register the DLL.  This will only work though, if the registry keys you're changing are HKEY_LOCAL_MACHINE keys.  If they are HKEY_CURRENT_USER keys, then those will not import to the target user.....so hopefully you're using HKEY_LOCAL_MACHINE keys....

Regards,

Rob.
Set objShell = CreateObject("WScript.Shell")

strLogonServer = objShell.ExpandEnvironmentStrings("%LOGONSERVER%")

' Set your registry file location here

strRegFile = strLogonServer & "\NetLogon\RegistryKeys.reg"

' Build the command that will be used to import the registry file

strCommand = "regedit /s """ & strRegFile & """"

' Run the command

objShell.Run strCommand, 0, True

' Set your dll path here

strDLLFile = "C:\Program Files\MyProgram\MyDLL.dll"

' Build the command that will be used to register the DLL file

strCommand = "regsvr32 /s """ & strDLLFile & """"

' Run the command

objShell.Run strCommand, 0, True

Open in new window

0
 

Author Comment

by:error131
Comment Utility
The registry change is editing the HKCU. So I guess I am out of luck there. The reson for trying to do this via a login/startup script is because we have over 300 machines to be updated and I didn't really want to go to every machine to do it. After the update I want to change the security back. I can do this manually of course but if I can find a way to do it programaticly it would help me greatly as this is just one of the many changes that are going to be happening over the next few months.
0
 
LVL 3

Expert Comment

by:Popeyediceclay
Comment Utility
You could create a start-up script that adds the Domain Users group to the local Administrators group of each PC.  This would only allow all users full access to their own and each others PC but not servers and such.  Once the changes have been made you could create another script that removes it.  Much safer than adding to Domain Admins but still vulnerable.

0
 

Author Comment

by:error131
Comment Utility
I've seen a few scripts that say somthing about adding to a local admin group, do you have any recomendations on how to go about that?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Accepted Solution

by:
Popeyediceclay earned 250 total points
Comment Utility
This looks like it could work:
'VBScript to Add an Active Directory Global Group to a Local Group on a Computer

'

'Example: Add an Active Directory General Desktop Administrator Group to the Local

'         Administrator Group. this can be Used to provide Local Administrator rights

'         to AD Users.

'

'MyDomain is in the form e.g Menkaura.com

'Global Group is in form e.g Local Desktop Administrator User Rights

'

'Provided by http://www.Menkaura.com/Forum/index.php

'Visit us to see what else we have on offer.
 
 

Option Explicit

On Error Resume Next
 

'Define Variables

Dim Mydomain

Dim GlobalGroup

Dim oDomainGroup

Dim oLocalAdmGroup

Dim oNet

Dim sComputer
 

Set oNet = WScript.CreateObject("WScript.Network")

sComputer = oNet.ComputerName
 
 

MyDomain = "Place Your Domain Name Here"

GlobalGroup = "Local Desktop Administrator User Rights"
 

Set oDomainGroup = GetObject("WinNT://" & MyDomain & "/" & GlobalGroup & ",group")

Set oLocalAdmGroup = GetObject("WinNT://" & sComputer & "/Administrators,group")
 

oLocalAdmGroup.Add(oDomainGroup.AdsPath)
 
 

'Nullify Variables

Set Mydomain = Nothing

Set GlobalGroup = Nothing

Set oDomainGroup = Nothing

Set oLocalAdmGroup = Nothing

Set oNet = Nothing

Set sComputer = Nothing

Open in new window

0
 
LVL 3

Expert Comment

by:Popeyediceclay
Comment Utility
And the Scripting Guy always has some good methods:

http://www.microsoft.com/technet/scriptcenter/resources/qanda/sept05/hey0923.mspx
0
 

Author Comment

by:error131
Comment Utility
I'll try it and get back to you. ASAP.
0
 
LVL 65

Assisted Solution

by:RobSampson
RobSampson earned 250 total points
Comment Utility
You would expect though, that if your keys are HKCU, then they have permissions to edit those keys, but may still not be able to run Regedit (to import registry keys).  I have found on some of my locked down machines that even though you cannot Regedit, you *can* use the RegWrite method of the WScript.Shell object:

Set objShell = CreateObject("WScript.Shell")
objShell.RegWrite "HKCU\Software\Acme", "MyValue", "REG_SZ"

Reference:
http://msdn.microsoft.com/en-us/library/yfdfhz1b.aspx

So, what I'm thinking is that you can use a StartUp to register the DLL, that should work fine, but then also use a Login script, utilising the RegWrite method to create your values.

Regards,

Rob.
0
 

Author Closing Comment

by:error131
Comment Utility
Both "RobSampson" and "Popeyediceclay" 's answers worked for me, ultimately I added the .dll via a startup script and then added the hkcu changes via a login script. but the script to add a group to the local administrators group worked as well.
0
 
LVL 65

Expert Comment

by:RobSampson
Comment Utility
Great. Glad we could help.  Thanks for the grade.

Regards,

Rob.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now