Help, need a VBScript

Discussion in 'Active Directory' started by Clayton Sutton, Oct 17, 2006.

  1. Hey everyone,

    We are running a Windows 2003 domain and Win2k and Win2k3 workstations. I
    need a vbscript to add a domain acct. to the LOCAL Admin acct. to ALL of our
    workstations. Can anyone help by pointing me in the right direction where I
    can download that type of script?


    Clayton Sutton, Oct 17, 2006
    1. Advertisements

  2. Hey RC,

    Thanks for the reply. However, can you explain a little more? I know how
    to do GPOs, I just need a little more info. from you.

    Clayton Sutton, Oct 17, 2006
    1. Advertisements

  3. Where would I do it at?


    Clayton Sutton, Oct 17, 2006
  4. In
    You can either use restricted groups (see for some help)

    ....or you could use a computer startup script assigned via group policy -
    such as a simple batch file using
    net localgroup Administrators DOMAIN\user_or_group /add
    Lanwench [MVP - Exchange], Oct 17, 2006
  5. You could use the restricted user group gpo setting

    computer configuration \ windows settings \ restricted groups

    group = your group to be made local admins
    member of = BUILTIN\Administrators

    There is absolutely nothing that has to be done on the client side.

    Create the gpo in the ou where the Computers reside (NOT the users), go to
    computer configuration/windows settings/security settings/restricted groups,
    right click on restricted groups and select new group (For the local
    computers, this group name should be - administrators) and key in the group
    you want auto populated. Select add on the Members of this group and then
    add the members you want populated.
    Paul Bergson [MVP-DS], Oct 17, 2006
  6. Florian Frommherz, Oct 17, 2006
  7. Paul Williams [MVP], Oct 17, 2006
  8. How about "except" servers? What if I only want to do this to Workstations?
    That way I can just setup an acct. for our help desk that they could use to
    log into workstations but NOT be able to log into my servers!

    Clayton Sutton, Oct 17, 2006
  9. No problem. Scope and/ or filter the GPO to only apply to computers.

    Also consider modifying the logon locally right on the servers in question
    as by default a user can logon to a member server interactively.
    Paul Williams [MVP], Oct 17, 2006
  10. Hey Paul,

    How do you Scope/Filter the GPO?

    Clayton Sutton, Oct 17, 2006
  11. I see in Group Policy Management Console if I edit the GPO I can click on
    the "Scope" tab. I then see "Authenticated Users" under "Security

    Now how do I filter it just to apply to my workstations and NOT my servers?
    When I click the "Add..." button and change the "Object Types..." to
    "Computers", I don't see an object just for "Workstations".

    Clayton Sutton, Oct 17, 2006
  12. In
    You can link the GPO to just the workstation/laptop OUs. Or deny/allow by
    using a WMI filter in the GPO for operating system types.

    Innovative IT Concepts, Inc (IITCI)
    Willow Grove, PA

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.
    It's easy:

    How to Configure OEx for Internet News

    Infinite Diversities in Infinite Combinations
    Assimilation Imminent. Resistance is Futile
    "Very funny Scotty. Now, beam down my clothes."

    The only constant in life is change...
    Ace Fekay [MVP], Oct 18, 2006
  13. Thanks Ace, but WMI can't filter out my Win2k systems.

    Clayton Sutton, Oct 18, 2006
  14. If you are within scope of a GPO, it applies to you. Without any additional
    factors, such as no override, block inheritance or filtering, an object is
    within scope if it is a childm grand-child, whatever, of a container that
    has a GPO linked to it. Therefore, in the context I described, I was
    referring to you linking the GPO to an OU that contains the necessary
    workstations and not the servers.

    The other option is filtering. If your workstations and servers are in the
    same OU, or you are doing this at the site or domain level, you can add
    servers to a group and deny that group the ability to apply the GPO.

    Note. Filtering is only applicable if the user or computer objects that are
    members of the group that you have filtered are within scope. It is of no
    consequence where the group in question resides, as GPOs do not apply to

    If you consider scope out of the default context, then if things are
    filtered or excluded because of a WMI filter (a WQL query) then these are
    also scoped out. The term can be ambiguous under certain circumstances.
    Paul Williams [MVP], Oct 18, 2006
  15. Thanks everyone for your help, I think I have enough to get started!

    Clayton Sutton, Oct 18, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.