none
Startup script again

    Question

  • Hi, I am from Spain, excuse my bad English

    I post recently a question about script but This is a another error in my script

    I have a startup script to add domain group to the local administrator group

    I have English OS and Spanish OS

    When the script run in the English OS version the line:

    Set objAdmins = GetObject("WinNT://" & strComputer & "/Administradores")

    say the group not exist because "Administradores" (in Spanish) not exist

    How i can check if this local group exist for avoid this error?

    Thanks again for all

    Monday, December 10, 2012 11:06 PM

Answers

  • Instead of using script to add domain admin to local admin group of client computers you can use restricted group policy.Ensure that restricted group policy is configured correctly else it will not only add required members to local Administratiors, but it will remove any members that were in local Admins previously.Select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.

    Using Restricted Groups
    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
    http://www.frickelsoft.net/blog/?p=13

    Alternately you can set a startup script in group policy with the following line:
    NET localgroup Administrators /add "domain_name\domain_group
    That's it....the next time the computers are started, the group will be added to the local admin group.

    Hope this helps

     

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, December 11, 2012 1:25 AM
  • Hi,

    Agree with Sandesh you can use restricted group or net localgroup /add command to add domain users into local admin group. You can use net localgroup administrators command on the computer to verify the group exist. Be sure input the computer and group name correctly.

    Scripts to manage Local Groups
    http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/localgroups/

    Regarding with scripting issues you can also ask help in official guys scripting forum:
    http://social.technet.microsoft.com/Forums/en/ITCG/threads

    Regards,
    Cicely

    Tuesday, December 11, 2012 7:50 AM
  • I agree that Restricted Groups is the way to go. However, there are ways to find the local Administrators group no matter the language, or even if the group has been renamed. The script below enumerates all local groups and finds the one with the well-known SID for the local Administrators group:

    Option Explicit

    Dim objNetwork, strComputer, objLocalGroup, objComputer, strHexSID
    Dim objDomainGroup

    Set objNetwork = CreateObject("Wscript.Network")
    strComputer = objNetwork.ComputerName

    ' Bind to the local computer object.
    Set objComputer = GetObject("WinNT://" & strComputer)

    ' Bind to the domain group.
    Set objDomainGroup = GetObject("WinNT://MyDomain/MyGroup,group")

    ' Filter on group objects.
    objComputer.Filter = Array("group")

    ' Enumerate all local Groups on the computer.
    For Each objLocalGroup In objComputer
        ' Retrieve SID and convert to hex string.
        strHexSID = OctetToHexStr(objLocalGroup.objectSID)
        ' Check for well known hex SID for local Administrators group.
        If (strHexSID = "01020000000000052000000020020000") Then
            ' Check if domain group already a member.
            If (objLocalGroup.IsMember(objDomainGroup.ADsPath) = False) Then
                ' Add the domain group as member.
                objLocalGroup.Add(objDomainGroup.ADsPath)
            End If
            Exit For
        End If
    Next

    Function OctetToHexStr(ByVal arrbytOctet)
        ' Function to convert OctetString (Byte Array) to a hex string.

        Dim k

        OctetToHexStr = ""
        For k = 1 To Lenb(arrbytOctet)
            OctetToHexStr = OctetToHexStr _
                & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
        Next

    End Function

    -----



    Richard Mueller - MVP Directory Services

    Tuesday, December 11, 2012 2:07 PM

All replies

  • Instead of using script to add domain admin to local admin group of client computers you can use restricted group policy.Ensure that restricted group policy is configured correctly else it will not only add required members to local Administratiors, but it will remove any members that were in local Admins previously.Select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.

    Using Restricted Groups
    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
    http://www.frickelsoft.net/blog/?p=13

    Alternately you can set a startup script in group policy with the following line:
    NET localgroup Administrators /add "domain_name\domain_group
    That's it....the next time the computers are started, the group will be added to the local admin group.

    Hope this helps

     

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, December 11, 2012 1:25 AM
  • Hi,

    Agree with Sandesh you can use restricted group or net localgroup /add command to add domain users into local admin group. You can use net localgroup administrators command on the computer to verify the group exist. Be sure input the computer and group name correctly.

    Scripts to manage Local Groups
    http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/localgroups/

    Regarding with scripting issues you can also ask help in official guys scripting forum:
    http://social.technet.microsoft.com/Forums/en/ITCG/threads

    Regards,
    Cicely

    Tuesday, December 11, 2012 7:50 AM
  • If you wanna follow the path with using a script, you can run a check to see what OS language the client have that is running the script.

    Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2") 
    Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_OperatingSystem") 
    
    For Each objItem In colItems 
       strlanguage = objItem.OSLanguage 
    
       If strlanguage ="1033" Then
          ' 1033 = en-us   
          Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
       ElseIf strlanguage = "1034" Then
           ' "1034 = es-es"
          Set objAdmins = GetObject("WinNT://" & strComputer & "/Administradores")
       End If
    Next

    Tuesday, December 11, 2012 1:43 PM
  • I agree that Restricted Groups is the way to go. However, there are ways to find the local Administrators group no matter the language, or even if the group has been renamed. The script below enumerates all local groups and finds the one with the well-known SID for the local Administrators group:

    Option Explicit

    Dim objNetwork, strComputer, objLocalGroup, objComputer, strHexSID
    Dim objDomainGroup

    Set objNetwork = CreateObject("Wscript.Network")
    strComputer = objNetwork.ComputerName

    ' Bind to the local computer object.
    Set objComputer = GetObject("WinNT://" & strComputer)

    ' Bind to the domain group.
    Set objDomainGroup = GetObject("WinNT://MyDomain/MyGroup,group")

    ' Filter on group objects.
    objComputer.Filter = Array("group")

    ' Enumerate all local Groups on the computer.
    For Each objLocalGroup In objComputer
        ' Retrieve SID and convert to hex string.
        strHexSID = OctetToHexStr(objLocalGroup.objectSID)
        ' Check for well known hex SID for local Administrators group.
        If (strHexSID = "01020000000000052000000020020000") Then
            ' Check if domain group already a member.
            If (objLocalGroup.IsMember(objDomainGroup.ADsPath) = False) Then
                ' Add the domain group as member.
                objLocalGroup.Add(objDomainGroup.ADsPath)
            End If
            Exit For
        End If
    Next

    Function OctetToHexStr(ByVal arrbytOctet)
        ' Function to convert OctetString (Byte Array) to a hex string.

        Dim k

        OctetToHexStr = ""
        For k = 1 To Lenb(arrbytOctet)
            OctetToHexStr = OctetToHexStr _
                & Right("0" & Hex(Ascb(Midb(arrbytOctet, k, 1))), 2)
        Next

    End Function

    -----



    Richard Mueller - MVP Directory Services

    Tuesday, December 11, 2012 2:07 PM