Sign in
 
HomeLibraryLearnDownloadsRepositoryCommunityForumsBlog
Script Center >
create a group in active directory based computers name

Traitée create a group in active directory based computers name

  • Saturday, May 12, 2012 1:00 PM
     
     
    Sign In to Vote
    0

    Hi I need so support to create a script, Please help

    J

    When this script runs on a local PC it will find the computers name and create a group in active directory based on the computers name and a fixed name [CLI]_[Computer]@[DomainName]

    EG:

    Cilent PC name:Cilent001

    Domain Name:Microsoft.com

    AU:CLIENTS

    The group would have a be called CLI_Client001@Microsoft.com

    This user group in active directory would then be added to a local group on the computer that runs the script.

    Thanks.

     

All Replies

  • Saturday, May 12, 2012 1:06 PM
     
     
    Sign In to Vote
    0
    You've told us what the script will do.  Who's going to write it?

    Grant Ward, a.k.a. Bigteddy

    What's new in Powershell 3.0 (Technet Wiki)

     
  • Saturday, May 12, 2012 3:05 PM
    Moderator
     
     
    Sign In to Vote
    0

    Some thoughts:

    • You want to create one domain group for each computer? One group per computer is a lot to manage. Will the membership be different for each group? Will the permissions granted to each group be different? If not, it seems like one group would work.
    • There probably is no need to run the script on the computer. You can create the groups yourself from any computer joined to the domain. You can even query AD for all computer names and create the groups in bulk. Or, you can create the groups based  on a text file of computer names.
    • Adding the new domain group to a local group on the computer can also be done remotely, by a user that is a member of "Domain Admins" (since by default "Domain Admins" is a member of the local Administrators group on every computer joined to the domain). This can also be done in bulk, even by the same script that creates the domain groups.
    • Whomever runs the script needs permission to create groups in AD, and to add the new domain group to a local group. Normal users cannot.

    Maybe it would help for us to know what problem you are attempting to solve.

    Richard Mueller - MVP Directory Services

     
  • Saturday, May 12, 2012 6:04 PM
     
     
    Sign In to Vote
    0

    Hi Richard,

    Thanks for your reply,

    The purpose is a have a unique User group in the domain for each machine Name: LocalAdmin_[ComputorName]

    Example LocalAdmin_ClientPC01, LocalAdmin_ClientPC02, LocalAdmin_ClientPC03

    This group would be crated in the domain if does not exist and added to Administrators on that local machine.

    This allows admin access to be given to individual machines within the domain without having to give full admin to a group of machines

    This can then be managed within the domain without the need for the administrator to connect to the PC and set local admin access.

     
  • Saturday, May 12, 2012 6:12 PM
     
     
    Sign In to Vote
    0

    If someone makes me a local admin for one minute I can give myself permamnent access administratively.  A trojan or virus can also do ths just as easily.

    This is an old method that has proven to be unnecesary and quite dangerous.  Are you eally sure you want to do this?

    As Richard posted it would be far easier to do this remotely.  It would also be easier to write a script that adds the user to teh local admins group and then removes them.  The removal can be scheduled so it occrs quickly.

    Another easy method is to place a single utility account on each PC local admin group and use a scrip t to enable and disable this account as well as assign a password.  This would help to keep an infected user account from infecting the whole machine and prevent admin trights from infecting theuser account with even more terrible things.

    Internet access should also be restricted for th temp admin account.  This can be easily accomplished with Group Policy.

    ¯\_(ツ)_/¯

     
  • Saturday, May 12, 2012 7:16 PM
     
     Proposed
    Sign In to Vote
    0

    Hi,
    I've understood your need but didn't understood why you want to do it this way
    (a group for each single computer).

    Depending on how much computers you'll target....10/100/1000/10000,
    doing it this way may have no sence...

    From a previous professional experience, I would guess this is related
    to Admin Rights assignement mitigation where you may need :
    - to maitain an up to date list/inventory of who is admin on whitch station.
       http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/0145f250-cf6b-4f53-9b02-dd303cf3257f
    - to easily grant/revoke admin rights for users depending on their request expiration date


    If this is the case :
    - for Inventory I used a scheduled job on the local deployment server
      that pushes a vbs script that pulls the list of local admin users of the current station
      and inserts results dated on a database.
    - for grant/revoke, you can either use the old method or even extend your database and vbs script
      and let it take in consideration expiration dates

    Thanks.

    MCTS Windows Server Virtualization, Configuration



     
  • Monday, May 14, 2012 2:51 AM
    Moderator
     
     Answered Has Code
    Sign In to Vote
    0

    I'll leave the wisdom of doing this to you. If really need a separate domain group for each computer, and each group added to the local Administrators group, it can be done in bulk with a script similar to below. I assume you have a text file of computer names. The trick is that to create the domain group where you want in Active Directory, you must specify the distinguished name of the OU or container and use the LDAP provider. However, to add this domain group to the local group, you must bind with the WinNT provider (the local SAM account database is not LDAP compliant). The following is not tested, and you may need to adjust for your domain name, and the naming convention for the groups:

    Option Explicit

    Dim strFile, objFSO, objFile, strComputer, strParent, objParent
    Dim objNTGroup, objDomainGroup, objLocalAdm

    Const ForReading = 1
    Const ADS_GROUP_TYPE_GLOBAL_GROUP = &h2
    Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000

    ' Specify file of computer names.
    strFile = "c:\Scripts\Computers.txt"

    ' Specify the OU where the new groups will be created.
    strParent = "ou=ComputerAdms,ou=West,dc=MyDomain,dc=com"

    ' Bind to the OU where groups to be created.
    Set objParent = GetObject("LDAP://" & strParent)

    ' Open the file for reading.
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    Set objFile = objFSO.OpenTextFile(strFile, ForReading)

    ' Read the file.
    Do Until objFile.AtEndOfStream
        strComputer = Trim(objFile.ReadLine)
        ' Skip blank lines.
        If (strComputer <> "") Then
            ' Check if domain group exists for this computer.
            On Error Resume Next
            Set objNTGroup = GetObject("WinNT://MyDomain/LocalAdmin_" & strComputer & ",computer")
            If (Err.Number <> 0) Then
                On Error GoTo 0
                ' The domain group does not exist. Create the group in specified OU.
                Set objDomainGroup = objParent.Create("group", "cn=LocalAdmin_" & strComputer)
                ' Assign "pre-Windows 2000" name.
                objDomainGroup.Put "sAMAccountName", "LocalAdmin_" & strComputer
                ' Make the group a global security group.
                objDomainGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP Or _
                    ADS_GROUP_TYPE_SECURITY_ENABLED
                objDomainGroup.SetInfo
                ' Bind to local Administrators group on the computer.
                ' Trap error if not available
                On Error Resume Next
                Set objLocalAdm = GetObject("WinNT://" & strComputer &"/Administrators,group")
                If (Err.Number = 0) Then
                    On Error GoTo 0
                    ' Bind to the new domain group using the WinNT Provider
                    Set objNTGroup = GetObject("WinNT:///MyDomain/LocalAdmin_" & strComputer & ",computer")
                    ' Add the domain group to the local group.
                    objLocalAdm.Add(objNTGroup.ADsPath)
                Else
                    Wscript.Echo "Cannot connect to computer " & strComputer
                    Wscript.Echo "Error Number: " & Err.Number
                    Wscript.Echo "Description: " & Err.Description
                    On Error GoTo 0
                End If
            Else
                On Error GoTo 0
                ' The domain group already exists.
                ' Bind to local Administrators group on the computer.
                ' Trap error if not available
                On Error Resume Next
                Set objLocalAdm = GetObject("WinNT://" & strComputer &"/Administrators,group")
                If (Err.Number = 0) Then
                    On Error GoTo 0
                    ' Check membership.
                    If (objLocalAdm.IsMember(objNTGroup.ADsPath) = False) Then
                        ' Add the domain group to the local group.
                        objLocalAdm.Add(objNTGroup.ADsPath)
                    End If
                Else
                    Wscript.Echo "Cannot connect to computer " & strComputer
                    Wscript.Echo "Error Number: " & Err.Number
                    Wscript.Echo "Description: " & Err.Description
                    On Error GoTo 0
                End If
            End If
        End If
    Loop

    ' Clean up.
    objFile.Close

    -----


    Richard Mueller - MVP Directory Services