DRRAM
asked on
local admin
Hello,
Please
I have an Active Directory (Domain Controller Server 2003)
I wondered if there was a script (.bat or .VBS) or powershell to give of the list of users Accounts (AD) local administrator rights on the list of machines windows XP (AD)
indeed
1 - I will give the user1 (AD account) the right to be a local administrator on the machine PC1 (listed in the AD) to a one day for make application installations.
I'll do the same thing for 110 users on 110 machines.
"USER1" local administrator --> on "PC1"
"USER2" local administrator --> on "PC2"
"USER3" local administrator --> on "PC3"
....
"USER110" local administrator --> on "PC110"
2 - After one day I will delete the local administrator right of this list of users (example : USER1) on this list of machines (example : PC1)
and so on
Can you please give me any solution it's very urgent?
THX
Please
I have an Active Directory (Domain Controller Server 2003)
I wondered if there was a script (.bat or .VBS) or powershell to give of the list of users Accounts (AD) local administrator rights on the list of machines windows XP (AD)
indeed
1 - I will give the user1 (AD account) the right to be a local administrator on the machine PC1 (listed in the AD) to a one day for make application installations.
I'll do the same thing for 110 users on 110 machines.
"USER1" local administrator --> on "PC1"
"USER2" local administrator --> on "PC2"
"USER3" local administrator --> on "PC3"
....
"USER110" local administrator --> on "PC110"
2 - After one day I will delete the local administrator right of this list of users (example : USER1) on this list of machines (example : PC1)
and so on
Can you please give me any solution it's very urgent?
THX
fahad44
Does your all of your AD users are not currently having administrative rights?
ASKER
Yes all of AD users are not having administrative rights
ASKER
unless the administration account
You need to create GPO for this so follow the below instructions illustrated in this link:
http://community.spiceworks.com/how_to/show/907
Regards,
Fahad
http://community.spiceworks.com/how_to/show/907
Regards,
Fahad
ASKER
please, I wait an other solution
because the problem of this method (by GPO) --> each users (110 users) it will be local admin on all machines (110 machines)
because the problem of this method (by GPO) --> each users (110 users) it will be local admin on all machines (110 machines)
The other method is to run powe rshell commands so see this link:
http://www.techtalkz.com/windows-server-2003/36070-giving-all-domain-users-administrator-rights-local-workstations.html
http://www.techtalkz.com/windows-server-2003/36070-giving-all-domain-users-administrator-rights-local-workstations.html
ASKER
please I am waiting an other solution
thx
thx
Use restricted group policy for win 2k3
Add a single user to local admin group and deploy your application and remove that one user from policy
http://www.windowsecurity.com/articles/using-restricted-groups.html
Add a single user to local admin group and deploy your application and remove that one user from policy
http://www.windowsecurity.com/articles/using-restricted-groups.html
ASKER
is not possible via a Script
That would be ..But this is more easier option
You will be giving local Administrator access to only one user which you will mention is restricted group
You will be giving local Administrator access to only one user which you will mention is restricted group
Hi, you can try this script as a start to add the currently logged on user of a remote machine, to the local admin group of that same machine.
Don't forget though, that if you add the user while they are logged on, they will need to log off and log back on before they have admin rights.
To remove the user, change
objAdmins.Add(objWinntUser
to
objAdmins.Remove(objWinntU
Regards,
Rob.
Don't forget though, that if you add the user while they are logged on, they will need to log off and log back on before they have admin rights.
To remove the user, change
objAdmins.Add(objWinntUser
to
objAdmins.Remove(objWinntU
Regards,
Rob.
Set wshNetwork = CreateObject( "WScript.Network" )
strUserDomain = wshNetwork.UserDomain
strUserComputer = InputBox("Please enter an IP Address or computer name:", _
"Add logged on user to local Administrators group","192.168.1.1")
If IsEmpty(strUserComputer) = True Then Wscript.Quit
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strUserComputer & "\root\cimv2")
Set colComputer = objWMIService.ExecQuery _
("Select * from Win32_ComputerSystem")
For Each objComputer in colComputer
strUserName = objComputer.UserName
Next
If InStr(strUserName, "\") > 0 Then strUserName = Mid(strUserName, InStrRev(strUserName, "\") + 1)
Set objAdmins = GetObject("WinNT://" & strUserComputer & "/Administrators")
Set objWinntUser = GetObject("WinNT://" & strUserDomain & "/" & strUserName)
strGroupToCheck = "Administrators"
If IsMemberOfGroup(strUserComputer, objWinntUser, strGroupToCheck) = False Then
objAdmins.Add(objWinntUser.ADsPath)
WScript.Echo strUserDomain & "/" & strUserName & " was added to the " & strGroupToCheck & " group."
Else
WScript.Echo strUserDomain & "/" & strUserName & " is already a member of the " & strGroupToCheck & " group."
End If
Function IsMemberOfGroup(strUserDomain, objUser, strGroup) 'the user is a member of a specified group
IsMemberOfGroup = False
Dim objGroup
On Error Resume Next
Set objGroup = GetObject("WinNT://" & strUserDomain & "/" & strGroup & ",group")
If Err.Number Then
IsMemberOfGroup = "Error"
Else
IsMemberOfGroup = objGroup.IsMember(objUser.ADsPath)
'MsgBox objUser.ADsPath
End If
End FunctionASKER
Hi RobSampson;
I'll do the same thing for 110 users on 110 machines.
Can I do automatically apply the script by which we can read the names of 110 machines in text file (list)
to add the currently logged on user of a remote machines, to the local admin group of that same machine.
Thx for your help
I'll do the same thing for 110 users on 110 machines.
Can I do automatically apply the script by which we can read the names of 110 machines in text file (list)
to add the currently logged on user of a remote machines, to the local admin group of that same machine.
Thx for your help
OK, this should work reading from computers.txt and log the results to a csv file.
Regards,
Rob.
Regards,
Rob.
Set wshNetwork = CreateObject( "WScript.Network" )
strUserDomain = wshNetwork.UserDomain
strInputFile = "computers.txt"
strOutputFile = "results.csv"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objInput = objFSO.OpenTextFile(strInputFile, 1, False)
Set objOutput = objFSO.CreateTextFile(strOutputFile, True)
objOutput.WriteLine """Computer"",""Result"""
While Not objInput.AtEndOfStream
strComputer = Trim(objInput.ReadLine)
If strComputer <> "" Then
If Ping(strComputer) = True Then
strLogLine = strComputer
On Error Resume Next
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
If Err.Number = 0 Then
Set colComputer = objWMIService.ExecQuery("Select * from Win32_ComputerSystem")
For Each objComputer In colComputer
strUserName = objComputer.UserName
Next
If InStr(strUserName, "\") > 0 Then strUserName = Mid(strUserName, InStrRev(strUserName, "\") + 1)
Err.Clear
Set objAdmins = GetObject("WinNT://" & strUserComputer & "/Administrators")
Set objWinntUser = GetObject("WinNT://" & strUserDomain & "/" & strUserName)
If Err.Number = 0 Then
strGroupToCheck = "Administrators"
If IsMemberOfGroup(strUserComputer, objWinntUser, strGroupToCheck) = False Then
objAdmins.Add(objWinntUser.ADsPath)
strLogLine = strLogLine & ",""" & strUserDomain & "/" & strUserName & " ADDED"""
'WScript.Echo strUserDomain & "/" & strUserName & " was added to the " & strGroupToCheck & " group."
Else
strLogLine = strLogLine & ",""" & strUserDomain & "/" & strUserName & " EXISTS"""
'WScript.Echo strUserDomain & "/" & strUserName & " is already a member of the " & strGroupToCheck & " group."
End If
Else
strLogLine = strLogLine & ",""ERROR" & Err.Number & " - " & Err.Description & """"
Err.Clear
End If
Else
strLogLine = strLogLine & ",""ERROR" & Err.Number & " - " & Err.Description & """"
Err.Clear
On Error GoTo 0
End If
Else
strLogLine = strLogLine & ",""OFFLINE"""
End If
objOutput.WriteLine strLogLine
End If
Wend
objInput.Close
objOutput.Close
WScript.Echo "Done. Please see " & strOutputFile
Function IsMemberOfGroup(strUserDomain, objUser, strGroup) 'the user is a member of a specified group
IsMemberOfGroup = False
Dim objGroup
On Error Resume Next
Set objGroup = GetObject("WinNT://" & strUserDomain & "/" & strGroup & ",group")
If Err.Number Then
IsMemberOfGroup = "Error"
Else
IsMemberOfGroup = objGroup.IsMember(objUser.ADsPath)
'MsgBox objUser.ADsPath
End If
End Function
Function Ping(strComputer)
Dim objShell, boolCode
Set objShell = CreateObject("WScript.Shell")
boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
If boolCode = 0 Then
Ping = True
Else
Ping = False
End If
End FunctionASKER
Please RobSampson
In the file "computers.txt" I have
PC-1
PC-3
I have errors in file "results.csv"
Computer,"Result"
PC-1,"ERROR-2147463168 - "
PC-1,"ERROR-2147463168 - ","OFFLINE"
indeed
- PC-1 is online but I do not know why I was error in the file "results.csv"
- PC-3 is OFFLine but I do not know why I was error in the file "results.csv" and
he put PC-1 instead of PC-3
Thx for your help
In the file "computers.txt" I have
PC-1
PC-3
I have errors in file "results.csv"
Computer,"Result"
PC-1,"ERROR-2147463168 - "
PC-1,"ERROR-2147463168 - ","OFFLINE"
indeed
- PC-1 is online but I do not know why I was error in the file "results.csv"
- PC-3 is OFFLine but I do not know why I was error in the file "results.csv" and
he put PC-1 instead of PC-3
Thx for your help
Sorry, a couple or variable names were wrong. This should work.
Regards,
Rob.
Regards,
Rob.
Set wshNetwork = CreateObject( "WScript.Network" )
strUserDomain = wshNetwork.UserDomain
strInputFile = "computers.txt"
strOutputFile = "results.csv"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objInput = objFSO.OpenTextFile(strInputFile, 1, False)
Set objOutput = objFSO.CreateTextFile(strOutputFile, True)
objOutput.WriteLine """Computer"",""Result"""
While Not objInput.AtEndOfStream
strComputer = Trim(objInput.ReadLine)
If strComputer <> "" Then
If Ping(strComputer) = True Then
strLogLine = strComputer
On Error Resume Next
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
If Err.Number = 0 Then
Set colComputer = objWMIService.ExecQuery("Select * from Win32_ComputerSystem")
For Each objComputer In colComputer
strUserName = objComputer.UserName
Next
If InStr(strUserName, "\") > 0 Then strUserName = Mid(strUserName, InStrRev(strUserName, "\") + 1)
Err.Clear
Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
Set objWinntUser = GetObject("WinNT://" & strUserDomain & "/" & strUserName)
If Err.Number = 0 Then
strGroupToCheck = "Administrators"
If IsMemberOfGroup(strComputer, objWinntUser, strGroupToCheck) = False Then
objAdmins.Add(objWinntUser.ADsPath)
strLogLine = strLogLine & ",""" & strUserDomain & "/" & strUserName & " ADDED"""
'WScript.Echo strUserDomain & "/" & strUserName & " was added to the " & strGroupToCheck & " group."
Else
strLogLine = strLogLine & ",""" & strUserDomain & "/" & strUserName & " EXISTS"""
'WScript.Echo strUserDomain & "/" & strUserName & " is already a member of the " & strGroupToCheck & " group."
End If
Else
strLogLine = strLogLine & ",""ERROR" & Err.Number & " - " & Err.Description & """"
Err.Clear
End If
Else
strLogLine = strLogLine & ",""ERROR " & Err.Number & " - " & Err.Description & """"
Err.Clear
On Error GoTo 0
End If
Else
strLogLine = strLogLine & ",""OFFLINE"""
End If
objOutput.WriteLine strLogLine
End If
Wend
objInput.Close
objOutput.Close
WScript.Echo "Done. Please see " & strOutputFile
Function IsMemberOfGroup(strUserDomain, objUser, strGroup) 'the user is a member of a specified group
IsMemberOfGroup = False
Dim objGroup
On Error Resume Next
Set objGroup = GetObject("WinNT://" & strUserDomain & "/" & strGroup & ",group")
If Err.Number Then
IsMemberOfGroup = "Error"
Else
IsMemberOfGroup = objGroup.IsMember(objUser.ADsPath)
'MsgBox objUser.ADsPath
End If
End Function
Function Ping(strComputer)
Dim objShell, boolCode
Set objShell = CreateObject("WScript.Shell")
boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
If boolCode = 0 Then
Ping = True
Else
Ping = False
End If
End FunctionASKER
Please RobSampson
In the file "computers.txt" I have
PC-1
PC-3
Computer,"Result"
PC-1,"PC-1/User1 EXISTS"
PC-1,"PC-1/User1 EXISTS","OFFLINE"
- PC1 is ok
but
- PC-3 is OFFLine but in the file "results.csv" he put PC-1 instead of PC-3
thx
In the file "computers.txt" I have
PC-1
PC-3
Computer,"Result"
PC-1,"PC-1/User1 EXISTS"
PC-1,"PC-1/User1 EXISTS","OFFLINE"
- PC1 is ok
but
- PC-3 is OFFLine but in the file "results.csv" he put PC-1 instead of PC-3
thx
I can't see why it would be writing odd things...it seems to work for me...can you run this version with
cscript C:\Scripts\AddAdminUsers.v
and see what the output is...
cscript C:\Scripts\AddAdminUsers.v
and see what the output is...
Set wshNetwork = CreateObject( "WScript.Network" )
strUserDomain = wshNetwork.UserDomain
strInputFile = "computers.txt"
strOutputFile = "results.csv"
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objInput = objFSO.OpenTextFile(strInputFile, 1, False)
Set objOutput = objFSO.CreateTextFile(strOutputFile, True)
objOutput.WriteLine """Computer"",""Result"""
While Not objInput.AtEndOfStream
strComputer = Trim(objInput.ReadLine)
If strComputer <> "" Then
If Ping(strComputer) = True Then
WScript.Echo strComputer & " is online. Processing..."
strLogLine = """" & strComputer & """"
On Error Resume Next
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
If Err.Number = 0 Then
Set colComputer = objWMIService.ExecQuery("Select * from Win32_ComputerSystem")
For Each objComputer In colComputer
strUserName = objComputer.UserName
Next
If InStr(strUserName, "\") > 0 Then strUserName = Mid(strUserName, InStrRev(strUserName, "\") + 1)
Err.Clear
Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
Set objWinntUser = GetObject("WinNT://" & strUserDomain & "/" & strUserName)
If Err.Number = 0 Then
strGroupToCheck = "Administrators"
If IsMemberOfGroup(strComputer, objWinntUser, strGroupToCheck) = False Then
Err.Clear
On Error GoTo 0
objAdmins.Remove(objWinntUser.ADsPath)
strLogLine = strLogLine & ",""" & strUserDomain & "/" & strUserName & " ADDED"""
'WScript.Echo strUserDomain & "/" & strUserName & " was added to the " & strGroupToCheck & " group."
Else
strLogLine = strLogLine & ",""" & strUserDomain & "/" & strUserName & " EXISTS"""
'WScript.Echo strUserDomain & "/" & strUserName & " is already a member of the " & strGroupToCheck & " group."
End If
Else
strLogLine = strLogLine & ",""ERROR" & Err.Number & " - " & Err.Description & """"
Err.Clear
End If
Else
strLogLine = strLogLine & ",""ERROR " & Err.Number & " - " & Err.Description & """"
Err.Clear
On Error GoTo 0
End If
Else
WScript.Echo strComputer & " is offline. Not processing."
strLogLine = strLogLine & ",""OFFLINE"""
End If
WScript.Echo "Writing to output file: " & vbCrLf & strLogLine
objOutput.WriteLine strLogLine
End If
Wend
objInput.Close
objOutput.Close
WScript.Echo "Done. Please see " & strOutputFile
Function IsMemberOfGroup(strUserDomain, objUser, strGroup) 'the user is a member of a specified group
IsMemberOfGroup = False
Dim objGroup
On Error Resume Next
Set objGroup = GetObject("WinNT://" & strUserDomain & "/" & strGroup & ",group")
If Err.Number Then
IsMemberOfGroup = "Error"
Else
IsMemberOfGroup = objGroup.IsMember(objUser.ADsPath)
'MsgBox objUser.ADsPath
End If
End Function
Function Ping(strComputer)
Dim objShell, boolCode
Set objShell = CreateObject("WScript.Shell")
boolCode = objShell.Run("Ping -n 1 -w 300 " & strComputer, 0, True)
If boolCode = 0 Then
Ping = True
Else
Ping = False
End If
End FunctionASKER
Please RobSampson
I have an error in run the script:
"
Script: C:\Scripts\AddAdminUsers.v
Ligne: 56
Caract.: 52
Error: Expected end of statement
Source : Microsoft VBScript compilation error:
"
Thx
I have an error in run the script:
"
Script: C:\Scripts\AddAdminUsers.v
Ligne: 56
Caract.: 52
Error: Expected end of statement
Source : Microsoft VBScript compilation error:
"
Thx
Sorry, please try the code again from my previous post. I have updated line 56 to include an ampersand that I had forgot.
Rob.
Rob.
ASKER
you forgot to send the script
this script is that it can be used for pc on the network ???
this script is that it can be used for pc on the network ???
ASKER
I WAIT YOUR RESPONSE PLEASE
ASKER
Please RobSampson
In the file "computers.txt" I have
PC-1
PC-3
Computer,"Result"
PC-1,"PC-1/USER1 EXISTS"
PC-1,"PC-1/USER1 EXISTS","OFFLINE"
- PC1 is ok
but
- PC-3 is OFFLine but in the file "results.csv" he put PC-1 instead of PC-3
this script is that it can be used for pc on the network ???
THX
In the file "computers.txt" I have
PC-1
PC-3
Computer,"Result"
PC-1,"PC-1/USER1 EXISTS"
PC-1,"PC-1/USER1 EXISTS","OFFLINE"
- PC1 is ok
but
- PC-3 is OFFLine but in the file "results.csv" he put PC-1 instead of PC-3
this script is that it can be used for pc on the network ???
THX
Try the code I posted in ID: 38375047 again. I updated it to provide a fix for line 56.
Rob.
Rob.
ASKER
yes I tried
Please RobSampson
In the file "computers.txt" I have
PC-1
PC-3
Computer,"Result"
PC-1,"PC-1/USER1 EXISTS"
PC-1,"PC-1/USER1 EXISTS","OFFLINE"
- PC1 is ok
but
- PC-3 is OFFLine but in the file "results.csv" he put PC-1 instead of PC-3
this script is that it can be used for pc on the network ???
THX
Please RobSampson
In the file "computers.txt" I have
PC-1
PC-3
Computer,"Result"
PC-1,"PC-1/USER1 EXISTS"
PC-1,"PC-1/USER1 EXISTS","OFFLINE"
- PC1 is ok
but
- PC-3 is OFFLine but in the file "results.csv" he put PC-1 instead of PC-3
this script is that it can be used for pc on the network ???
THX
ASKER
??
ASKER
Please RobSampson,
Please It is very urgent, I am waiting for your correction
Thx
Please It is very urgent, I am waiting for your correction
Thx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Please RobSampson,
I tried
In the file "computers.txt" I have
PC5323
PC8462
PC6286
"Computer","Result"
PC5323,"KLM/YifgtH01 EXISTS"
PC8462,"ERROR 462 - The remote server machine does not exist or is unavailable"
PC6286,"ERROR 462 - The remote server machine does not exist or is unavailable"
- PC5323 is ok
but
- PC8462, PC6286 : this is not possible because the two machines are connected in network (LAN)
this script is that it can be used for pc on the network ???
THX
I tried
In the file "computers.txt" I have
PC5323
PC8462
PC6286
"Computer","Result"
PC5323,"KLM/YifgtH01 EXISTS"
PC8462,"ERROR 462 - The remote server machine does not exist or is unavailable"
PC6286,"ERROR 462 - The remote server machine does not exist or is unavailable"
- PC5323 is ok
but
- PC8462, PC6286 : this is not possible because the two machines are connected in network (LAN)
this script is that it can be used for pc on the network ???
THX
ASKER
Please RobSampson,
Please It is very urgent, I am waiting for your correction
Thx
Please It is very urgent, I am waiting for your correction
Thx
The script can be used against any PC in the network, but when you see the error "The remote server machine does not exist or is unavailable"
this means that the computer or user account that you are running the script *from* cannot connect via WMI to the remote computer. Are you sure you have admin rights on each remote PC?
The remote machine may have WMI problems as well that you will need to fix before you can do anything remotely to them with WMI.
Regards,
Rob.
this means that the computer or user account that you are running the script *from* cannot connect via WMI to the remote computer. Are you sure you have admin rights on each remote PC?
The remote machine may have WMI problems as well that you will need to fix before you can do anything remotely to them with WMI.
Regards,
Rob.
The computers may also have a firewall policy that blocks WMI operations...
ASKER
yes
it is necessary to use WMI ??
I do not control the WMI and I do not know how I'm going to settle the problem
I have not a firewall policy in network "LAN"
THX
it is necessary to use WMI ??
I do not control the WMI and I do not know how I'm going to settle the problem
I have not a firewall policy in network "LAN"
THX
Yes, WMI is necessary, even remote registry operations use the same interface. You won't be able to make any changes without having WMI / Remote Registry rights to the machines.
Rob.
Rob.
ASKER
thx Rob,
sais tu comment je peux faire pour activer WMI please
sais tu comment je peux faire pour activer WMI please
WMI can have various issues. The first thing to do is make sure that the account you're using has admin rights to the remote machine.
If you are running the script from a computer that has UAC enabled, try right-clicking cmd.exe, then clicking Run As Administrator, and then running
cscript C:\Scripts\AddLocalAdmins.
After that, if it still fails, you can follow these steps on the remote machine itself:
Click Start --> Settings --> Control Panel --> Administrative Tools --> Component Services
Then expand Component Services --> Computers --> My Computer
Right click My Computer, go to Properties. On the Default Properties tab, check the Enable Distributed COM on this computer box.
Then on the COM Security tab, click Edit Default... under Launch and Activation Permissions and make sure the Local Administrators group has Full Access.
Then make sure that your domain account is in the Local Administrators group in Computer Management. Restart the system and try again.
Also, just double check the registry setting for DCOM is enabled:
HKLM\Software\Microsoft\OL
String value: EnableDCOM
should be Y
Regards,
Rob.
If you are running the script from a computer that has UAC enabled, try right-clicking cmd.exe, then clicking Run As Administrator, and then running
cscript C:\Scripts\AddLocalAdmins.
After that, if it still fails, you can follow these steps on the remote machine itself:
Click Start --> Settings --> Control Panel --> Administrative Tools --> Component Services
Then expand Component Services --> Computers --> My Computer
Right click My Computer, go to Properties. On the Default Properties tab, check the Enable Distributed COM on this computer box.
Then on the COM Security tab, click Edit Default... under Launch and Activation Permissions and make sure the Local Administrators group has Full Access.
Then make sure that your domain account is in the Local Administrators group in Computer Management. Restart the system and try again.
Also, just double check the registry setting for DCOM is enabled:
HKLM\Software\Microsoft\OL
String value: EnableDCOM
should be Y
Regards,
Rob.
ASKER
thx