Script to assign user to local computer group at startup

[Marshalus Veteran]

Here at work we (usually) name the primary machines that users work on the same as their AD username. We also give them Power User access on that machine and only that machine. (Eventually they'll just be Users, but we're still trying to back down from having them as local admins.)

Right now when our desktop techs setup new machines for people they have to manually assign the user to the group, which they sometimes forget to do. What I would like to do is to automate this by adding a startup script that gets the name of the computer and attempts to add the account to the group automatically based on that name.

But I suck at scripts, so if anyone could give me a hand I'd appreciate it ;)

[Sn00pY]

a login script wouldn't work as it would require it to be "ran as" effectively as users will not natively have enough admin privilage to perform this action...

[Marshalus Veteran]

Hence why I said "adding a startup script" which run as administrators ;)

[PricklyPoo]

Maybe this would help?

http://technet.microsoft.com/en-us/library/bb742536.aspx

[samg]

I had to script this for 30 new machines i was setting up.

Basically what i done was automated it so when the image was recovered it automatically logged into the local admin account then fetched a script.

Script included the code from pricklypoo's link. Then at the end it added the user to power users. (installed software silently etc)

Then restarted the PC.

[Marshalus Veteran]

This is what I have so far, I've not tested it yet because my machines are not named with the same convention so I'm setting up a test employee machine right now.

Dim objNet
On Error Resume Next 

Set objNet = CreateObject("WScript.Network") 
If err.Number <> 0 Then
	' do nothing on error just keep moving along
	err.Clear
End if

strComputer = objNet.ComputerName
Set objGroup = GetObject("WinNT://" & strComputer & "/Power Users")
Set objUser = GetObject("WinNT://" & objNet.UserDomain & "/" & strComputer)
objGroup.Add(objUser.ADsPath)


Set objNet = Nothing

I had to script this for 30 new machines i was setting up.

Basically what i done was automated it so when the image was recovered it automatically logged into the local admin account then fetched a script.

Script included the code from pricklypoo's link. Then at the end it added the user to power users. (installed software silently etc)

Then restarted the PC.

That wouldn't work very well with our processes. We're constantly adding reimaging systems or changing system names when people leave and replacements are hired. Typically our desktop techs reimage the machine off the network and then take the system to the user and join it to the domain for them there while they wait. Since we're pretty restrictive with names we have to delete the old one before the new one is joined.

[Marshalus Veteran]

OK the above script works fine if I run it on the machine, while logged in as an administrator but when it attempts to run as a startup script it does not add the users to the group. Any ideas?

[Marshalus Veteran]

I think I figure it out, the script is attempting to run as the local administrator on the machine, which does not have permission to poll active directory to add the network accounts. Anyone know how to feed the script AD credentials to look for the user?

[Joel]

c&p from another site, so let me know if it works:

Better than script, try

to investigate into Restricted Groups Group Policy setting. It is located in

Computer Configuration/Windows Settings/Security Settings

It basically prescribes local Group membership on the computers to which

this GPO applies.

[Marshalus Veteran]

I already use Restricted Groups for my Administrators group to only allow domain admins, the local admin account, and what we call "techadmins" who are our Helpdesk and Desktop Support techs. This prevents our techs from giving people admin access and forgetting to take it away. (usually our helpdesk has this problem)

I'm not really worried about "restricting" the Power User groups, more about helping make sure the people who are suppose to be there, are there, on a machine by machine basis. Restricted groups would only be helpful if I wanted to give all domain users Power User level on every machine in the OU that it applies... which I sure as hell don't ;) (I don't even like giving them Power User to their machine)

[Marshalus Veteran]

I got it sorted this morning. It turns out that the "objNet.UserDomain" string doesn't phrase right if its not loaded as a domain user, so I replaced that with our domain name. I would have liked for the script to just know the domain, but we only have one domain and unless we change names I don't see the domain name changing ;)

I also modified the script to add the user to the Remote Desktop and Network Config groups as well.

Final product:

Dim objNet
On Error Resume Next 

Set objNet = CreateObject("WScript.Network") 
If err.Number <> 0 Then
	' do nothing on error just keep moving along
	err.Clear
End if

strComputer = objNet.ComputerName
Set objGroupPU = GetObject("WinNT://" & strComputer & "/Power Users")
Set objGroupNC = GetObject("WinNT://" & strComputer & "/Network Configuration Operators")
Set objGroupRU = GetObject("WinNT://" & strComputer & "/Remote Desktop Users")
Set objUser = GetObject("WinNT://DOMAINNAME/" & strComputer)
objGroupPU.Add(objUser.ADsPath)
objGroupNC.Add(objUser.ADsPath)
objGroupRU.Add(objUser.ADsPath)



Set objNet = Nothing

Just throw it in a .vbs file and be on your way.