Solved

Need a script to add users to Domain Administrators

Posted on 2009-05-19
12
774 Views
Last Modified: 2012-05-07
I am very new to VBS and find myself fumbling around trying to add users to the Domain Administrators group via a login script. I need to run a reg file and register a .dll and on our network this requires administrator privileges. I have searched here and a few other places and found good information, but it's not been specific enough for my limited knowledge.
So any help would be appreciated.
We run a Windows 2008 domain, users are on Windows XP Pro.
0
Comment
Question by:error131
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 3

Expert Comment

by:Cameron_S
ID: 24426994
What is the criteria? Do you want to type in a name? All users that have the specified login script are admins? All accounts within a specific OU? It probably would not be a good idea to make everyone a DA in a production network, but if it is a small private network that seems logical.

Generally you want to save login scripts for repeatable things - mapping network drives, reporting system information, etc etc. Not so much for setting permissions, which are hopefully a one-time shot.

0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 24427158
What does the REG file do?  Does this need to be entered into the current user registry profile?

You could create a scheduled task that runs when the user logs on and have it run as the admin account, have it run a BAT file (or VBS), call it somefile.bat with:

REG /IMPORT "somefile.reg"
REGSVR32 "somefile.dll"

And you could create the task remotely using SCHTASKS, like:

SCHTASKS /Create /F /S <computername> /U Administrator /P password /RU Administrator /RP password /SC ONLOGON /TN test /TR c:\somefile.bat

(Run "SCHTASKS /CREATE ?" to see what all this means)

Might need to do some experimenting but it should get the job done.  I don't know if it will add the REG file to the current user registry though.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 24427645
Hmmm, perhaps a better than elevating every users privileges would be to run a StartUp script to import a registry file, and register a DLL.

StartUp scripts run under the local computer SYSTEM account, where Logon scripts run under the security context of the user logging in, and so are usually limited.

StartUp scripts, are, however, limited in their network access, in that they can only access files in the NetLogon share of your domain controllers.  But this is usually not a problem, as long as you place your required files somewhere in that folder.

So, if you assign, say, the following script as a StartUp script, it should run the registry import, and register the DLL.  This will only work though, if the registry keys you're changing are HKEY_LOCAL_MACHINE keys.  If they are HKEY_CURRENT_USER keys, then those will not import to the target user.....so hopefully you're using HKEY_LOCAL_MACHINE keys....

Regards,

Rob.
Set objShell = CreateObject("WScript.Shell")
strLogonServer = objShell.ExpandEnvironmentStrings("%LOGONSERVER%")
' Set your registry file location here
strRegFile = strLogonServer & "\NetLogon\RegistryKeys.reg"
' Build the command that will be used to import the registry file
strCommand = "regedit /s """ & strRegFile & """"
' Run the command
objShell.Run strCommand, 0, True
' Set your dll path here
strDLLFile = "C:\Program Files\MyProgram\MyDLL.dll"
' Build the command that will be used to register the DLL file
strCommand = "regsvr32 /s """ & strDLLFile & """"
' Run the command
objShell.Run strCommand, 0, True

Open in new window

0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:error131
ID: 24431700
The registry change is editing the HKCU. So I guess I am out of luck there. The reson for trying to do this via a login/startup script is because we have over 300 machines to be updated and I didn't really want to go to every machine to do it. After the update I want to change the security back. I can do this manually of course but if I can find a way to do it programaticly it would help me greatly as this is just one of the many changes that are going to be happening over the next few months.
0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 24431946
You could create a start-up script that adds the Domain Users group to the local Administrators group of each PC.  This would only allow all users full access to their own and each others PC but not servers and such.  Once the changes have been made you could create another script that removes it.  Much safer than adding to Domain Admins but still vulnerable.

0
 

Author Comment

by:error131
ID: 24432065
I've seen a few scripts that say somthing about adding to a local admin group, do you have any recomendations on how to go about that?
0
 
LVL 3

Accepted Solution

by:
Popeyediceclay earned 250 total points
ID: 24432097
This looks like it could work:
'VBScript to Add an Active Directory Global Group to a Local Group on a Computer
'
'Example: Add an Active Directory General Desktop Administrator Group to the Local
'         Administrator Group. this can be Used to provide Local Administrator rights
'         to AD Users.
'
'MyDomain is in the form e.g Menkaura.com
'Global Group is in form e.g Local Desktop Administrator User Rights
'
'Provided by http://www.Menkaura.com/Forum/index.php
'Visit us to see what else we have on offer.
 
 
Option Explicit
On Error Resume Next
 
'Define Variables
Dim Mydomain
Dim GlobalGroup
Dim oDomainGroup
Dim oLocalAdmGroup
Dim oNet
Dim sComputer
 
Set oNet = WScript.CreateObject("WScript.Network")
sComputer = oNet.ComputerName
 
 
MyDomain = "Place Your Domain Name Here"
GlobalGroup = "Local Desktop Administrator User Rights"
 
Set oDomainGroup = GetObject("WinNT://" & MyDomain & "/" & GlobalGroup & ",group")
Set oLocalAdmGroup = GetObject("WinNT://" & sComputer & "/Administrators,group")
 
oLocalAdmGroup.Add(oDomainGroup.AdsPath)
 
 
'Nullify Variables
Set Mydomain = Nothing
Set GlobalGroup = Nothing
Set oDomainGroup = Nothing
Set oLocalAdmGroup = Nothing
Set oNet = Nothing
Set sComputer = Nothing

Open in new window

0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 24432127
And the Scripting Guy always has some good methods:

http://www.microsoft.com/technet/scriptcenter/resources/qanda/sept05/hey0923.mspx
0
 

Author Comment

by:error131
ID: 24432258
I'll try it and get back to you. ASAP.
0
 
LVL 65

Assisted Solution

by:RobSampson
RobSampson earned 250 total points
ID: 24437493
You would expect though, that if your keys are HKCU, then they have permissions to edit those keys, but may still not be able to run Regedit (to import registry keys).  I have found on some of my locked down machines that even though you cannot Regedit, you *can* use the RegWrite method of the WScript.Shell object:

Set objShell = CreateObject("WScript.Shell")
objShell.RegWrite "HKCU\Software\Acme", "MyValue", "REG_SZ"

Reference:
http://msdn.microsoft.com/en-us/library/yfdfhz1b.aspx

So, what I'm thinking is that you can use a StartUp to register the DLL, that should work fine, but then also use a Login script, utilising the RegWrite method to create your values.

Regards,

Rob.
0
 

Author Closing Comment

by:error131
ID: 31583261
Both "RobSampson" and "Popeyediceclay" 's answers worked for me, ultimately I added the .dll via a startup script and then added the hkcu changes via a login script. but the script to add a group to the local administrators group worked as well.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 24446626
Great. Glad we could help.  Thanks for the grade.

Regards,

Rob.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question