Re: Domain user to local administrators group

alimk <> wrote:
> Hi Everyone,
>
> I need a VB Script for adding domain users to be a member of local
> administrators group.
>
> Thanks in Advance.

Why does it especially need to be vbscript? A simple batch file startup
script in a GPO will do this. My advice would be to set up a universal
security group called LocalAdmin in AD. Add the users you wish to it

Use this in a batch file assigned as a startup script via GPO...

net localgroup administrators DOMAIN\localadmin /add

"Lanwench [MVP - Exchange]"
< hoo.com> wrote in message
news:...
> alimk <> wrote:
>> Hi Everyone,
>>
>> I need a VB Script for adding domain users to be a member of local
>> administrators group.
>>
>> Thanks in Advance.
>
> Why does it especially need to be vbscript? A simple batch file startup
> script in a GPO will do this. My advice would be to set up a universal
> security group called LocalAdmin in AD. Add the users you wish to it
>
> Use this in a batch file assigned as a startup script via GPO...
>
> net localgroup administrators DOMAIN\localadmin /add

I would recommend that this not be done in a logon script, whether batch
file or VBScript, because normal users should not have permission and
administrator credentials should not be exposed in a logon script. Also, if
done in a logon script the task can be repeated over and over, and yet you
don't know when the task is complete for each computer. The VBScript program
has the advantage of checking first to see if the user/group needs to be
added, but unless it logs to a shared file, you still don't know when the
task is complete.

Better is to add the user or group to the local Administrators group
remotely yourself. The VBScript example I posted can be run remotely, as
long as the person is a member of the Domain Admins group, which by default
should be a member of the local Administrators group for all computers
joined to the domain. You could code a script to do this in bulk for all
computers, or computer names read from a text file.

An even better solution is to use the Restricted Groups feature of Group
Policy. Again, a domain group should be added to all local Administrators
groups, so it can be managed easily in AD. See these links for details:

http://support.microsoft.com/kb/279301

http://technet.microsoft.com/en-us/l...31(WS.10).aspx

http://support.microsoft.com/kb/810076

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Richard Mueller [MVP] <rlmueller-> wrote:
> "Lanwench [MVP - Exchange]"
> < hoo.com> wrote in
> message news:...
>> alimk <> wrote:
>>> Hi Everyone,
>>>
>>> I need a VB Script for adding domain users to be a member of local
>>> administrators group.
>>>
>>> Thanks in Advance.
>>
>> Why does it especially need to be vbscript? A simple batch file
>> startup script in a GPO will do this. My advice would be to set up a
>> universal security group called LocalAdmin in AD. Add the users you
>> wish to it Use this in a batch file assigned as a startup script via
>> GPO...
>>
>> net localgroup administrators DOMAIN\localadmin /add
>
> I would recommend that this not be done in a logon script,

Nor I - that's why I suggested a startup script. Users will never see it.
(and this wouldn't work in a login script anyway because it would run in the
user context, and require that the user have admin rights). It isn't the
most elegant solution, but it sure is simple.

> whether
> batch file or VBScript, because normal users should not have
> permission and administrator credentials should not be exposed in a
> logon script. Also, if done in a logon script the task can be
> repeated over and over, and yet you don't know when the task is
> complete for each computer.

Yes, true for a startup script as well, but this is such a simple thing that
it doesn't hurt anything to re-add. The only thing that will happen when you
run the command is that it will say (not visible to anyone) that the group
is already a member of the group, and move on. It takes no time at all. And
it ensures that any new PC added to the domain will get this setting.

> The VBScript program has the advantage of
> checking first to see if the user/group needs to be added, but unless
> it logs to a shared file, you still don't know when the task is
> complete.
> Better is to add the user or group to the local Administrators group
> remotely yourself. The VBScript example I posted can be run remotely,
> as long as the person is a member of the Domain Admins group, which
> by default should be a member of the local Administrators group for
> all computers joined to the domain. You could code a script to do
> this in bulk for all computers, or computer names read from a text
> file.
> An even better solution is to use the Restricted Groups feature of
> Group Policy. Again, a domain group should be added to all local
> Administrators groups, so it can be managed easily in AD. See these
> links for details:

Yes, that's a very good option. The reason I don't generally use it is that
I
sometimes want different PCs to have different local group membership.
>
> http://support.microsoft.com/kb/279301
>
> http://technet.microsoft.com/en-us/l...31(WS.10).aspx
>
> http://support.microsoft.com/kb/810076
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net

BTW, I generally bow before your scripting prowess, you know. :-)