amwoolf
IS-IT--Management
- Aug 31, 2005
- 30
Does anyone know if there is a way, using GPO or AD, to force a domain user(s) into the local Power User group on an XP computer? I don't want to have to visit each computer to do this. Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Force domain users into local XP group
- Thread starter amwoolf
- Start date
- Status
porkchopexpress
IS-IT--Management
- Thread starter
- #3
amwoolf
IS-IT--Management
- Aug 31, 2005
- 30
Thanks. I found this article and, from what it says, it should work. However, it doesn't really tell me how to accomplish this. Other than setting up a GPO with Restricted Groups, I don't know what to do.
I can create the Restricted Groups and add in a couple of userids, but how do I specify that these should be part of the Power Users group on the local computer? When I tried to set this up I didn't see anyway to specify this - but maybe I missed something.
Thanks.
I can create the Restricted Groups and add in a couple of userids, but how do I specify that these should be part of the Power Users group on the local computer? When I tried to set this up I didn't see anyway to specify this - but maybe I missed something.
Thanks.
Here is the addusers.vbs script that does exactly that:
'
----------------------------------------------------------------------
' // -- This notice must stay in place --
' //
' // Copyright (c) 2000, 2001,2002 Matthew Fisher
' // post questions/comments on
' //
' // Due to the sheer volume, Support questions
' // are *never* answered via email, sorry.
' //
' // This is free software however you may not redistribute it,
' // pass it off as your own work, remove any headers or notices,
' // sell it either by itself or as part of a compilation,
' // or otherwise bend, fold, or mutilate it. All notices must
' // remain in this source and all resulting output.
' //
' // To learn more about this script and more visit
' ----------------------------------------------------------------------
' // AddGroup.vbs.
' Runs in the cscript.exe script engine.
' Adds a global group to a local group using Active Directory Services Interface (ADSI)
' Usage: cscript.exe addgroups.vbs computername
' Can be batched to operate on multiple computers.
'forces methodical coding - makes us dimension our variables and won't let us make typos.
Option Explicit
' Dimension our memory
Dim strComputer 'Holds the computer to work on.
'Can be specified in the command line to batch this out.
Dim strLocalGroup 'Holds the local group that we want to add a global group to
Dim strDomain 'Holds the domain name that has the global group we want to add
Dim strGlobalGroup 'Holds the global group that we're adding to the local group
Dim oDomain 'Holds the ADSI object we need for this all to work.
Dim oGroup 'Holds the ADSI object we need for this all to work.
'And initialize the variables I just dimensioned. Note that you can
' 'hard code' the computer name here, but it doesn't make a whole lot of sense to.
strComputer=""
strLocalGroup="Power Users"
strDomain="Domain name"
strGlobalGroup="Global group name"
'If the computer name isn't hardcoded, and they didn't
' give it to us in the command line parameters, then
'ask for it here.
IF strComputer="" AND wscript.arguments.count<>1 THEN
wscript.stdout.writeline "AddGroup.vbs: Missing or incorrect parameters."
wscript.stdout.writeline "Prompting for information: "
wscript.stdout.write "What computer do you want to operate on ? "
strComputer=wscript.stdin.readline
ELSE
strComputer=wscript.arguments(0)
END IF
wscript.stdout.writeline "Connecting to " &strComputer
Set oDomain = GetObject("WinNT://" & strComputer)
Set oGroup = oDomain.GetObject("Group", strLocalGroup)
oGroup.Add ("WinNT://" & strDomain & "/" & strGlobalGroup)
wscript.stdout.writeline "Done. Added " & strDomain & "\" & strGlobalGroup & " to " & strComputer & "\" & strLocalGroup
set oGroup=Nothing
setoDomain=Nothing
strComputer=""
strLocalGroup=""
strDomain=""
strGlobalGroup=""
' ablee-ablee, that's all folks !
'
----------------------------------------------------------------------
' // -- This notice must stay in place --
' //
' // Copyright (c) 2000, 2001,2002 Matthew Fisher
' // post questions/comments on
' //
' // Due to the sheer volume, Support questions
' // are *never* answered via email, sorry.
' //
' // This is free software however you may not redistribute it,
' // pass it off as your own work, remove any headers or notices,
' // sell it either by itself or as part of a compilation,
' // or otherwise bend, fold, or mutilate it. All notices must
' // remain in this source and all resulting output.
' //
' // To learn more about this script and more visit
' ----------------------------------------------------------------------
' // AddGroup.vbs.
' Runs in the cscript.exe script engine.
' Adds a global group to a local group using Active Directory Services Interface (ADSI)
' Usage: cscript.exe addgroups.vbs computername
' Can be batched to operate on multiple computers.
'forces methodical coding - makes us dimension our variables and won't let us make typos.
Option Explicit
' Dimension our memory
Dim strComputer 'Holds the computer to work on.
'Can be specified in the command line to batch this out.
Dim strLocalGroup 'Holds the local group that we want to add a global group to
Dim strDomain 'Holds the domain name that has the global group we want to add
Dim strGlobalGroup 'Holds the global group that we're adding to the local group
Dim oDomain 'Holds the ADSI object we need for this all to work.
Dim oGroup 'Holds the ADSI object we need for this all to work.
'And initialize the variables I just dimensioned. Note that you can
' 'hard code' the computer name here, but it doesn't make a whole lot of sense to.
strComputer=""
strLocalGroup="Power Users"
strDomain="Domain name"
strGlobalGroup="Global group name"
'If the computer name isn't hardcoded, and they didn't
' give it to us in the command line parameters, then
'ask for it here.
IF strComputer="" AND wscript.arguments.count<>1 THEN
wscript.stdout.writeline "AddGroup.vbs: Missing or incorrect parameters."
wscript.stdout.writeline "Prompting for information: "
wscript.stdout.write "What computer do you want to operate on ? "
strComputer=wscript.stdin.readline
ELSE
strComputer=wscript.arguments(0)
END IF
wscript.stdout.writeline "Connecting to " &strComputer
Set oDomain = GetObject("WinNT://" & strComputer)
Set oGroup = oDomain.GetObject("Group", strLocalGroup)
oGroup.Add ("WinNT://" & strDomain & "/" & strGlobalGroup)
wscript.stdout.writeline "Done. Added " & strDomain & "\" & strGlobalGroup & " to " & strComputer & "\" & strLocalGroup
set oGroup=Nothing
setoDomain=Nothing
strComputer=""
strLocalGroup=""
strDomain=""
strGlobalGroup=""
' ablee-ablee, that's all folks !
Try this -
that method works fine. But always browse for the group - don't type it in. I've found there is a difference.
I use this method to add the DOMAIN USERS group to the local POWER USERS group.
Keep in mind that when you use Restricted Groups, that ONLY those who you list will be in the group. If the machine currently has other accounts in that group, and you push through Restricted Groups, those members already in there will be REMOVED if they are not part of the Restricted Groups. (So, if you're dealing with the Local Admins group, make sure you include the Domain Admins!)
Hope this makes sense.
Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)
that method works fine. But always browse for the group - don't type it in. I've found there is a difference.
I use this method to add the DOMAIN USERS group to the local POWER USERS group.
Keep in mind that when you use Restricted Groups, that ONLY those who you list will be in the group. If the machine currently has other accounts in that group, and you push through Restricted Groups, those members already in there will be REMOVED if they are not part of the Restricted Groups. (So, if you're dealing with the Local Admins group, make sure you include the Domain Admins!)
Hope this makes sense.
Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)
- Status
Similar threads
