Adding groups to local administrators via vbs login scripts

[cainecabe]

We have AD2003 implemented and clients getting login scripts from GPO's. We have the script in UserConfig/WindowsSettings/Scripts - Startup. It runs but i have this problem below.
Here is vb code i have created so far.

On Error Resume Next
wi = "domain\nypak-workstation installers"
Set WSHShell = CreateObject("WScript.Shell")
Set WSHNetwork = CreateObject("WScript.Network")
Call wshshell.run("cmd.exe /C net localgroup administrators " & wi & " /add")
'call wshshell.run("cmd.exe /C net localgroup administrators domain\domain admins /add")
call wshshell.run("cmd.exe /C net localgroup administrators domain\a1migrator /add")

Problem is, the script only works for the domain\a1migrator line. the other two lines fail no matter what i do. it seems to be the spaces causing the issue though. How should i be structuring this script?




Thanks,

 

[Dyadmin]

Why don't you create a Group Policy that creates a Global group in the local administrators group? It's far easier than putting a script together.

I use a global group called Installers, then in my GPO I put it in the Machine Policy under security settings and click on restricted groups, then you can as what you like in the global group..

 

[somebigguy]

I would try putting the domain and group name in either single or double quotes, one of them should work. You may have to Escape double quotes if that's what works...

Example, for double quotes:

call wshshell.run("cmd.exe /C net localgroup administrators ""domain\domain admins"" /add")

alternatively, this might work:

call wshshell.run('cmd.exe /C net localgroup administrators "domain\domain admins" /add')

For single quotes, just add it to the command. Example:

call wshshell.run("cmd.exe /C net localgroup administrators 'domain\domain admins' /add")

Also, look into the LDAP object which should allow you to put members into groups programmatically rather than using shell commands.

 

[cainecabe]

I will admint i am new to this, so here goes my question...

how would i accomplish this via LDAP ?

i have tried the above suggestions to no avail.

Thanks,

 

[somebigguy]

Since you're new to this, the LDAP method may be a little too difficult.

The GPO option is the best way, but if that doesn't work, then try your method from a command line. I did and it works, it looks like you'll need to use the double quotes. Example:

net localgroup administrators "domain\domain admins" /add

The above command should work (as long as the domain is correct). If you can't get it to work from the command line, then it won't work from the script.

Once you get the above command to work, then work it into your script. Since double quotes (") need to be used, you will have to work around it somehow from within the script like the examples I gave you before. One of them should work. Here they are again:

call wshshell.run("cmd.exe /C net localgroup administrators ""domain\domain admins"" /add")

- OR -

call wshshell.run('cmd.exe /C net localgroup administrators "domain\domain admins" /add')

 

[cainecabe]

When i use this one in the vbs login script;
call wshshell.run("cmd.exe /C net localgroup administrators ""domain\domain admins"" /add")
it doesn't add it to the local administrators group. When i do;
net localgroup administrators "domain\domain admins" /add
fromt he command line it works.
when i do;
call wshshell.run('cmd.exe /C net localgroup administrators "domain\domain admins" /add')
it comments out everything after the '.

Also,
one of the groups we want to add as well is named "nypak-workstation installers". when i do it via the command line it gives me a syntax error, as if it's too long because if i type nypak-workstation, just to see, it says group doesn't exist, as it if wants to add it.

any ideas?

Thanks,

 

[somebigguy]

If the group name has a space in it like nypak-workstation installers then put it in double quotes too. See if that solves your group problem.

There could be permission problems here too. If the user that is logging in to the workstation does not have permissions to add members to the group, then the command will fail. Maybe this is what's happening when you try running from the login script and it doesn't work. Do you get any error messages?

 

[cainecabe]

Even if I try to add the nypak-workstation installers groups to the local admin groups via command line it fails with a syntax error. Is it possible that it is just too long? Also, the login script run as the user logs on so it will be using that users current rights, and if they don't have nay then they can't add anyonet ot he locval admin group. Is there a runas type thing for VBS ? i used to script with an app called WinBatch and it did, but how would i accomplish that in my VBS login script?

Thanks,

 

[cainecabe]

I am at a loss here.... if I cannot add a global group to the local administrators group of our users machines at logon via command line, how will i be able to accomplish it. I get synatx errors when doing it via command line that can only point the length being the problem? is there a way aroung this? quotes do not work no matter how i try, but a shorter named groupd (domain admins) does, illustrating that the other groups (nypak-workstation installers) must be too long. Also, the users loggin in will not have the rights to add anyone to the local administrators groups, so my next question is, how do i utilize the run as functionality in the script ? or is there a beter way to accomplish that?


Thanks,

 

[cainecabe]

Ok i was finally granted approval to rename the group in question to a shorter length name and wala, all 3 groups now populate the local administrative group.
How can I do this on machines where the user does not have local administrative rights ? I assume they script will run with the logged on users rights, right? does anyone know the syntax to utilize run as functionality ?


Thanks,

 

[MisterNiceGuy]

You should be doing this as a Startup Script..NOT a Logon script. The script should be placed into the Computer portion of a group policy object, that way it runs under the local SYSTEM accounts credentials. I posted my script for this here a long time ago you can find it here:

http://www.tek-tips.com/viewthread.cfm?qid=862117