none
Adding a user to the local Administrators group windows 7

    Question

  • I currently have a script that we used with our XP machines that is erroring out in Windows 7.  The current script in XP does the following.

    1. Adds the current user that is logged in to the local administrators group.

    2. Removes Domain Users from the Administrators group.

    3. Then the script deletes itself.

    The script works in XP but not Windows 7.

    I have verified that Domain Users is a member of the Local Administrators group.

    Here are some details on the error code we are getting.

    Access Denied Code 80070005

    Line 35

    Char 1

    Source: Active Directory

    Any help would be greatly appreciated!


    ' This script manages user membership to the local computers
    ' administrators group. It will add the current user as a member
    ' of the administrators group, remove "domain users" if a member
    ' then the script self destructs
    ' Last updated: 12/17/2008

    ' add current user to local administrators group
    Set GoGo = CreateObject("WScript.Network" )

    ' enumerates current users username, domain name, and computer name
    cUser = GoGo.username
    sNetBIOSDomain = GoGo.UserDomain
    cNode = GoGo.ComputerName

    Set lGroup = GetObject("WinNT://" & cNode & "/Administrators,group" )
    Set oUser = GetObject("WinNT://" & sNetBIOSDomain & "/" & cUser & ",user" )
    ' sets user helpesk as a member of local "administrators" group
    Set sUser = GetObject("WinNT://" & sNetBIOSDomain & "/" & "helpdesk" & ",user" )

    ' suppress errors in case the user is already a member
    On Error Resume Next
    lGroup.Add(oUser.ADsPath)
    lGroup.Add(sUser.ADsPath)
    On Error Goto 0

    ' Remove "domain users" from local "administrators" group
    ' Loop through all member of the group
    For Each gMember In lGroup.Members
    ' Get the name and make it lowercase
    sGroupEntry = LCase(gMember.Name)
    ' Find if "domain users" is a member of local "administrators" group
    If (sGroupEntry = "domain users" ) Then
    ' Remove entry from group if exists
    lGroup.Remove gMember.ADsPath
    End If
    Next

    ' Script self-destructs :)
    Set objFS = CreateObject("Scripting.FileSystemObject")
    strScript = Wscript.ScriptFullName
    objFS.DeleteFile(strScript)


    Tuesday, July 20, 2010 3:34 PM

Answers

  • When I copy your script, line 35 is an "End If" statement. Maybe the error was raised on the "lGroup.Remove" statement. Possibly, the ADsPath should be in parentheses. Also, you can check if a prospective object is a member, using the IsMember method, before adding or removing. This avoids using "On Error Resume Next". For example, I would suggest the following:

    ' This script manages user membership to the local computers
    ' administrators group. It will add the current user as a member
    ' of the administrators group, remove "domain users" if a member
    ' then the script self destructs
    ' Last updated: 07/20/2010
    
    ' add current user to local administrators group
    Set GoGo = CreateObject("WScript.Network" )
    
    ' enumerates current users username, domain name, and computer name 
    cUser = GoGo.username
    sNetBIOSDomain = GoGo.UserDomain
    cNode = GoGo.ComputerName
    
    Set lGroup = GetObject("WinNT://" & cNode & "/Administrators,group" )
    Set oUser = GetObject("WinNT://" & sNetBIOSDomain & "/" & cUser & ",user" )
    ' sets user helpesk as a member of local "administrators" group
    Set sUser = GetObject("WinNT://" & sNetBIOSDomain & "/helpdesk,user" )
    Set dGroup = GetObject("WinNT://" & sNetBIOSDomain & "/Domain Users,group")
    
    ' check membership.
    If (lGroup.IsMember(oUser.ADsPath) = False) Then
      lGroup.Add(oUser.ADsPath)
    End If
    If (lGroup.IsMember(sUser.ADsPath) = False) Then
      lGroup.Add(sUser.ADsPath)
    End If
    
    ' Remove "domain users" from local "administrators" group
    If (lGroup.IsMember(dGroup.ADsPath) = True) Then
      lGroup.Remove(dGroup.ADsPath)
    End If
    
    ' Script self-destructs :) 
    Set objFS = CreateObject("Scripting.FileSystemObject")
    strScript = Wscript.ScriptFullName
    objFS.DeleteFile(strScript)
    

     

    The above is not tested. As noted, on newer OS's, any administrative script must be run using "Run as administrator" or you will not have permissions. I launch a command prompt using "Run as administrator" to run scripts that need administrator privileges. Of course, the person running this script must already be a member of the local administrators group in order for it to work, so I assume that is why the group "Domain Users" is a member. By default, the group "Domain Admins" should be a member. I prefer to make a domain group a member of the local Administrators group on all computers (rather than individual users), then I can manage the membership of this group in AD. No need to run something on every computer. Another option is the Restricted Groups feature of Group Policy, which can manage local group membership automatically. For more on Restricted Groups, see these links:

    http://support.microsoft.com/kb/279301

    http://technet.microsoft.com/en-us/library/cc756802(WS.10).aspx

    Richard Mueller


    MVP ADSI
    Tuesday, July 20, 2010 6:12 PM

All replies

  • Are you running this script will elevated privileges? Right-click on cmd.exe and 'Run as administrator' then type cscript <path to script> and select enter. This will open Cscript with elevated rights and likewise run your script with elevated rights.


    v/r LikeToCode....Mark the best replies as answers.
    Tuesday, July 20, 2010 5:32 PM
  • When I copy your script, line 35 is an "End If" statement. Maybe the error was raised on the "lGroup.Remove" statement. Possibly, the ADsPath should be in parentheses. Also, you can check if a prospective object is a member, using the IsMember method, before adding or removing. This avoids using "On Error Resume Next". For example, I would suggest the following:

    ' This script manages user membership to the local computers
    ' administrators group. It will add the current user as a member
    ' of the administrators group, remove "domain users" if a member
    ' then the script self destructs
    ' Last updated: 07/20/2010
    
    ' add current user to local administrators group
    Set GoGo = CreateObject("WScript.Network" )
    
    ' enumerates current users username, domain name, and computer name 
    cUser = GoGo.username
    sNetBIOSDomain = GoGo.UserDomain
    cNode = GoGo.ComputerName
    
    Set lGroup = GetObject("WinNT://" & cNode & "/Administrators,group" )
    Set oUser = GetObject("WinNT://" & sNetBIOSDomain & "/" & cUser & ",user" )
    ' sets user helpesk as a member of local "administrators" group
    Set sUser = GetObject("WinNT://" & sNetBIOSDomain & "/helpdesk,user" )
    Set dGroup = GetObject("WinNT://" & sNetBIOSDomain & "/Domain Users,group")
    
    ' check membership.
    If (lGroup.IsMember(oUser.ADsPath) = False) Then
      lGroup.Add(oUser.ADsPath)
    End If
    If (lGroup.IsMember(sUser.ADsPath) = False) Then
      lGroup.Add(sUser.ADsPath)
    End If
    
    ' Remove "domain users" from local "administrators" group
    If (lGroup.IsMember(dGroup.ADsPath) = True) Then
      lGroup.Remove(dGroup.ADsPath)
    End If
    
    ' Script self-destructs :) 
    Set objFS = CreateObject("Scripting.FileSystemObject")
    strScript = Wscript.ScriptFullName
    objFS.DeleteFile(strScript)
    

     

    The above is not tested. As noted, on newer OS's, any administrative script must be run using "Run as administrator" or you will not have permissions. I launch a command prompt using "Run as administrator" to run scripts that need administrator privileges. Of course, the person running this script must already be a member of the local administrators group in order for it to work, so I assume that is why the group "Domain Users" is a member. By default, the group "Domain Admins" should be a member. I prefer to make a domain group a member of the local Administrators group on all computers (rather than individual users), then I can manage the membership of this group in AD. No need to run something on every computer. Another option is the Restricted Groups feature of Group Policy, which can manage local group membership automatically. For more on Restricted Groups, see these links:

    http://support.microsoft.com/kb/279301

    http://technet.microsoft.com/en-us/library/cc756802(WS.10).aspx

    Richard Mueller


    MVP ADSI
    Tuesday, July 20, 2010 6:12 PM
  • That worked!  What I want to do I put the script in the startup folder so it runs when the next user logs on. We distribute a couple hundred laptops at a time and it is much more efficient to add the script before hand than to add each user manually. Is there anyway I can have the script run with elevated privliges from the startup folder? C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

     

    Thank you very much for the reply!
    Tuesday, July 20, 2010 6:19 PM
  • Startup scripts are run under the Local System account, and they have the full rights that are associated with being able to run under the Local System account.

    http://technet.microsoft.com/en-us/library/cc770556.aspx


    v/r LikeToCode....Mark the best replies as answers.
    Tuesday, July 20, 2010 6:36 PM
  • When I add the scrip to the startup scripts, it still fails. I think i found a workaround though. I copied the script to the Default users desktop and found a way to add "Run as Administrator" to the list menu when you right click on the script. I am going to have the users right-click the script and Run as Administrator. It seems to work.


    Here is where i found the registry setting to Add "Run as Administrator" to the list menu.

    http://www.howtogeek.com/howto/windows-vista/add-run-as-administrator-to-any-file-type-in-windows-vista/

    If you have any other ideas let me know.

    Thanks!

    Wednesday, July 21, 2010 2:01 PM
  • Dooah!! I was not paying attention in my previous post, of course a Startup script would fail since it is executed prior to a user logon. The cUser, sNetBIOSDomain, and cNode would have no values. What you could do is set this script somewhere on the PC and then create a Scheduled Task with a Trigger of At Log On and Run with the SYSTEM account and Run with highest privileges. This task could then run the script. If you can't pre-configure the task prior to imaging then you may be able to configure the task with a Startup Script and using SchTasks.exe.
    v/r LikeToCode....Mark the best replies as answers.
    Wednesday, July 21, 2010 2:34 PM