Solved

Need a script to add users to Domain Administrators

Posted on 2009-05-19
12
773 Views
Last Modified: 2012-05-07
I am very new to VBS and find myself fumbling around trying to add users to the Domain Administrators group via a login script. I need to run a reg file and register a .dll and on our network this requires administrator privileges. I have searched here and a few other places and found good information, but it's not been specific enough for my limited knowledge.
So any help would be appreciated.
We run a Windows 2008 domain, users are on Windows XP Pro.
0
Comment
Question by:error131
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 3

Expert Comment

by:Cameron_S
ID: 24426994
What is the criteria? Do you want to type in a name? All users that have the specified login script are admins? All accounts within a specific OU? It probably would not be a good idea to make everyone a DA in a production network, but if it is a small private network that seems logical.

Generally you want to save login scripts for repeatable things - mapping network drives, reporting system information, etc etc. Not so much for setting permissions, which are hopefully a one-time shot.

0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 24427158
What does the REG file do?  Does this need to be entered into the current user registry profile?

You could create a scheduled task that runs when the user logs on and have it run as the admin account, have it run a BAT file (or VBS), call it somefile.bat with:

REG /IMPORT "somefile.reg"
REGSVR32 "somefile.dll"

And you could create the task remotely using SCHTASKS, like:

SCHTASKS /Create /F /S <computername> /U Administrator /P password /RU Administrator /RP password /SC ONLOGON /TN test /TR c:\somefile.bat

(Run "SCHTASKS /CREATE ?" to see what all this means)

Might need to do some experimenting but it should get the job done.  I don't know if it will add the REG file to the current user registry though.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 24427645
Hmmm, perhaps a better than elevating every users privileges would be to run a StartUp script to import a registry file, and register a DLL.

StartUp scripts run under the local computer SYSTEM account, where Logon scripts run under the security context of the user logging in, and so are usually limited.

StartUp scripts, are, however, limited in their network access, in that they can only access files in the NetLogon share of your domain controllers.  But this is usually not a problem, as long as you place your required files somewhere in that folder.

So, if you assign, say, the following script as a StartUp script, it should run the registry import, and register the DLL.  This will only work though, if the registry keys you're changing are HKEY_LOCAL_MACHINE keys.  If they are HKEY_CURRENT_USER keys, then those will not import to the target user.....so hopefully you're using HKEY_LOCAL_MACHINE keys....

Regards,

Rob.
Set objShell = CreateObject("WScript.Shell")
strLogonServer = objShell.ExpandEnvironmentStrings("%LOGONSERVER%")
' Set your registry file location here
strRegFile = strLogonServer & "\NetLogon\RegistryKeys.reg"
' Build the command that will be used to import the registry file
strCommand = "regedit /s """ & strRegFile & """"
' Run the command
objShell.Run strCommand, 0, True
' Set your dll path here
strDLLFile = "C:\Program Files\MyProgram\MyDLL.dll"
' Build the command that will be used to register the DLL file
strCommand = "regsvr32 /s """ & strDLLFile & """"
' Run the command
objShell.Run strCommand, 0, True

Open in new window

0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:error131
ID: 24431700
The registry change is editing the HKCU. So I guess I am out of luck there. The reson for trying to do this via a login/startup script is because we have over 300 machines to be updated and I didn't really want to go to every machine to do it. After the update I want to change the security back. I can do this manually of course but if I can find a way to do it programaticly it would help me greatly as this is just one of the many changes that are going to be happening over the next few months.
0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 24431946
You could create a start-up script that adds the Domain Users group to the local Administrators group of each PC.  This would only allow all users full access to their own and each others PC but not servers and such.  Once the changes have been made you could create another script that removes it.  Much safer than adding to Domain Admins but still vulnerable.

0
 

Author Comment

by:error131
ID: 24432065
I've seen a few scripts that say somthing about adding to a local admin group, do you have any recomendations on how to go about that?
0
 
LVL 3

Accepted Solution

by:
Popeyediceclay earned 250 total points
ID: 24432097
This looks like it could work:
'VBScript to Add an Active Directory Global Group to a Local Group on a Computer
'
'Example: Add an Active Directory General Desktop Administrator Group to the Local
'         Administrator Group. this can be Used to provide Local Administrator rights
'         to AD Users.
'
'MyDomain is in the form e.g Menkaura.com
'Global Group is in form e.g Local Desktop Administrator User Rights
'
'Provided by http://www.Menkaura.com/Forum/index.php
'Visit us to see what else we have on offer.
 
 
Option Explicit
On Error Resume Next
 
'Define Variables
Dim Mydomain
Dim GlobalGroup
Dim oDomainGroup
Dim oLocalAdmGroup
Dim oNet
Dim sComputer
 
Set oNet = WScript.CreateObject("WScript.Network")
sComputer = oNet.ComputerName
 
 
MyDomain = "Place Your Domain Name Here"
GlobalGroup = "Local Desktop Administrator User Rights"
 
Set oDomainGroup = GetObject("WinNT://" & MyDomain & "/" & GlobalGroup & ",group")
Set oLocalAdmGroup = GetObject("WinNT://" & sComputer & "/Administrators,group")
 
oLocalAdmGroup.Add(oDomainGroup.AdsPath)
 
 
'Nullify Variables
Set Mydomain = Nothing
Set GlobalGroup = Nothing
Set oDomainGroup = Nothing
Set oLocalAdmGroup = Nothing
Set oNet = Nothing
Set sComputer = Nothing

Open in new window

0
 
LVL 3

Expert Comment

by:Popeyediceclay
ID: 24432127
And the Scripting Guy always has some good methods:

http://www.microsoft.com/technet/scriptcenter/resources/qanda/sept05/hey0923.mspx
0
 

Author Comment

by:error131
ID: 24432258
I'll try it and get back to you. ASAP.
0
 
LVL 65

Assisted Solution

by:RobSampson
RobSampson earned 250 total points
ID: 24437493
You would expect though, that if your keys are HKCU, then they have permissions to edit those keys, but may still not be able to run Regedit (to import registry keys).  I have found on some of my locked down machines that even though you cannot Regedit, you *can* use the RegWrite method of the WScript.Shell object:

Set objShell = CreateObject("WScript.Shell")
objShell.RegWrite "HKCU\Software\Acme", "MyValue", "REG_SZ"

Reference:
http://msdn.microsoft.com/en-us/library/yfdfhz1b.aspx

So, what I'm thinking is that you can use a StartUp to register the DLL, that should work fine, but then also use a Login script, utilising the RegWrite method to create your values.

Regards,

Rob.
0
 

Author Closing Comment

by:error131
ID: 31583261
Both "RobSampson" and "Popeyediceclay" 's answers worked for me, ultimately I added the .dll via a startup script and then added the hkcu changes via a login script. but the script to add a group to the local administrators group worked as well.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 24446626
Great. Glad we could help.  Thanks for the grade.

Regards,

Rob.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question