Adding Domain Group to Local Admin Group

[ALLM]

I have a script I got from a scripting guy and he swears this works for him, but I continue to get an error when the startup script runs on the workstations saying the error is on "Line 16, Char 1". I can run this interactively when logged on with Admin permissions without error. So right now this is configured in AD as a Computer Object GPO to run as a StartUp Script, so running with SYSTEM account privileges. Can anyone help me get this to work please? Thanks in advance. The script is below.

---------- BEGIN SCRIPT

Set objWshNet = CreateObject("WScript.Network")

strDomain = objWshNet.UserDomain
strComputer = objWshNet.ComputerName
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")

' Configure to add a domain group to the Local Administrators Group

strUser = "Desktop Support"
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",group")

' We actually add the user or group here, if not already a member of the local
' Administrators group

If Not objGroup.IsMember(objUser.ADsPath) Then
objGroup.Add(objUser.ADsPath)
End If

----------- End Script

 

[mrmovie]

where is line 16?

this bind assumes that the 'local system' account has rights to bind to a domain group, fingers crossed it does
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",group")

i would advise putting some debugging information before and after every action you take in your script, get it to log to a log file locally, this will make identifying your issue possible. you could consider running the script from an AT cmd shell you launch as this will be running under the local system context and you can run as cscript.exe and thus get error messages displayed

 

[ALLM]

Sorry, Line 16 at the time was:

Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",group")

 

[ALLM]

The "SYSTEM" account does have the proper permissions as well.

 

[mrmovie]

strDomain = objWshNet.UserDomain

what does strDomain turn out to be in your case?
if the script is running under local system context what will the .UserDomain for it be? perhaps it will be the same as strComputer.

you really need some logging or at least echo's and run it so that you can see what it really happening

 

[mrmovie]

not that it <nothing.atall>really</nothing.atall> matters but you seem to refer to a group as a user or the other way round...

strUser = "Desktop Support"
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",group")

 

[tsuji]

If you run it as the computer's startup script, there is a problem. Rather than binding to domain group and retrieve its adspath, write directly its adspath. Try this.
[tt]
strUser = "Desktop Support"
[blue]sgroup_adspath="WinNT://" & strDomain & "/" & strUser[/blue]

[red]'[/red]Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",group")

' We actually add the user or group here, if not already a member of the local
' Administrators group

If Not objGroup.IsMember([red]sgroup_adspath[/red]) Then
objGroup.Add([red]sgroup_adspath[/red])
End If
[/tt]

 

[ALLM]

Tsuji,
I tried your recommended changes and it runs fine when logged on with a local admin account but at startup it returns an error:

"An invalid directory pathname was passed"

referring to the statement line:

"objGroup.Add(sgroup_adspath)"

Thoughts?

 

[mrmovie]

the ability to add a user or group from a domain into a local group still depends on the ability to browse/search AD? well i would think so if it prompts you for cred when you try this in the GUI.

my question relating to strDomain's value is still relevant, whether is is used as the bind or the explicit string as tsuji suggests. tsuji's approach will ultimatly save you time which is precious (time not tsuji' suggestion). there might be some mileage on the bind but only to prove that you do indeed have permissions.

besides, the value of strDomain is still critical, and your latest post with regards the error message only serves to highlight this.

please do yourself a favour and implement some logging in your scripts, it will save you lots of time and headache in the future

 

[tsuji]

Has the computer joint the domain? (Check strDomain, too.)

 

[ALLM]

Tsuji,
Yes, it is a member of the domain.

MrMovie,
Sorry, I'm new at the VBScript arena, how can I write something in to log this?

Back to the strDomain question, what are you looking for here, the actual Domain name?

 

[tsuji]

To verify the concept, use net command see if it is through.
[tt]
'replacing the part of involving the domain group
set wshshell=createobject("wscript.shell")
wshshell.run "%comspec% /c net localgroup Administrators /add " & chr(34) & strDomain & "\" & strUser & chr(34),0,true
set wshshell=nothing
[/tt]
What happens with it?

 

[ALLM]

Tsuji/mrmovie,
So I started over and referred back to a MS Scripting Guy article talking to this but I swear this wasn't working yesterday...
Link to the article:

http://blogs.technet.com/heyscripti...-group-to-the-local-administrators-group.aspx

Actual Script:


strComputer = "."

Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
Set objGroup = GetObject("WinNT://fabrikam/accounting")

objAdmins.Add(objGroup.ADsPath)

_____________________

This is working correctly, just need to do a membership check first. As it is now, it will throw an error up if the group already exists in the local administrators group.

Thoughts/Comments?

BTW - I appreciate you two helping me with this.

 

[tsuji]

Checking membership is not problem and sure have to be done as a matter of course. To get your message right, do you mean now it works? as a startup script?

 

[ALLM]

Yes, the script in my last thread is working as a StartUp GPO Script.

 

[tsuji]

Okay, the question is done then. (But, why would my use of sgroup_adspath provokes an error? is it not the same as objUser.adspath with less assumption on the domain computers group's membership on the controller! I can't believe it! Just for myself, don't worry.)

 

[mrmovie]

i am only guessing but

Set objWshNet = CreateObject("WScript.Network")
strDomain = objWshNet.UserDomain

when this is run under the local system user context perhaps this is resulting in the name of the local computer rather than the domain the computer is a member of

 

[mrmovie]

will regards the logging you could consider the following

Set FSO = CreateObject("Scripting.FileSystemObject")
Set objTS = FSO.CreateTextFile("somefolder\somefile.log", True)
objTS.WriteLine Now() & " start of scripting"

....
sgroup_adspath="WinNT://" & strDomain & "/" & strUser
objTS.WriteLine Now() & " attempting to bind to " & agroup_adspath
.....
.....
'did the group add work?
If blnAdded = True Then
intReturn = 0
Else
intReturn = 1
End If

objTS.WriteLine Now() & " script result = " & CStr(intReturn)
objTS.Close
Set objTS = Nothing
Set WshShell = Nothing
Wscript.Quit intReturn

 

[ALLM]

Yes, I think we're done here. Thanks again.