    Before we apply policies on our domain, we add each domain user to the
    local admin group. Now we need to reverse this and add them to a local
    special users group, and aply the new policies.
    Is there a way to automate this? Is there a script we can create and add to
    the new policies?
    Doing this on every computer would be very time consuming. Besides, some
    of the machines are located in different branches through the US.
    Any help would be very much appreciated
    Ben Fernandes
  2. Hi

    Assuming you have a Active Directory domain, you could put the script
    below in a computer startup script (with a GPO) that runs as part of
    he boot up process (before the user logs in). It runs under the system
    context and has admin rights.

    Set oWshNet = CreateObject("WScript.Network")
    sNode = oWshNet.ComputerName

    ' group name to add user to
    Set oGroupAdd = GetObject("WinNT://" & sNode & "/Power Users")

    ' group name to remove user from
    Set oGroupRmv = GetObject("WinNT://" & sNode & "/Administrators")

    ' loop through all members of the Administrators group
    For Each oGroupRmv In oGroupRmv.Members
    If oGroupRmv.Class = "User" Then

    On Error Resume Next ' implicit Err.Clear

    ' try to connect to user object to see if account is a local user
    Set oUser = GetObject("WinNT://" & sNode & "/" _
    & oGroupRmv.Name & ",user")

    If Err.Number <> 0 Then
    ' user is not local!

    ' add user to other group
    oGroupAdd.Add oUser.ADsPath

    ' remove user from group
    oGroupRmv.Remove oUser.ADsPath

    End If
    End If
    Torgeir Bakken \(MVP\), Feb 14, 2005
