Marshalus Veteran Posted January 14, 2008 Veteran Share Posted January 14, 2008 Here at work we (usually) name the primary machines that users work on the same as their AD username. We also give them Power User access on that machine and only that machine. (Eventually they'll just be Users, but we're still trying to back down from having them as local admins.) Right now when our desktop techs setup new machines for people they have to manually assign the user to the group, which they sometimes forget to do. What I would like to do is to automate this by adding a startup script that gets the name of the computer and attempts to add the account to the group automatically based on that name. But I suck at scripts, so if anyone could give me a hand I'd appreciate it ;) Link to comment Share on other sites More sharing options...
Sn00pY Posted January 14, 2008 Share Posted January 14, 2008 a login script wouldn't work as it would require it to be "ran as" effectively as users will not natively have enough admin privilage to perform this action... Link to comment Share on other sites More sharing options...
Marshalus Veteran Posted January 14, 2008 Author Veteran Share Posted January 14, 2008 Hence why I said "adding a startup script" which run as administrators ;) Link to comment Share on other sites More sharing options...
PricklyPoo Posted January 14, 2008 Share Posted January 14, 2008 Maybe this would help? http://technet.microsoft.com/en-us/library/bb742536.aspx Link to comment Share on other sites More sharing options...
samg Posted January 14, 2008 Share Posted January 14, 2008 I had to script this for 30 new machines i was setting up. Basically what i done was automated it so when the image was recovered it automatically logged into the local admin account then fetched a script. Script included the code from pricklypoo's link. Then at the end it added the user to power users. (installed software silently etc) Then restarted the PC. Link to comment Share on other sites More sharing options...
Marshalus Veteran Posted January 14, 2008 Author Veteran Share Posted January 14, 2008 This is what I have so far, I've not tested it yet because my machines are not named with the same convention so I'm setting up a test employee machine right now. Dim objNet On Error Resume Next Set objNet = CreateObject("WScript.Network") If err.Number <> 0 Then ' do nothing on error just keep moving along err.Clear End if strComputer = objNet.ComputerName Set objGroup = GetObject("WinNT://" & strComputer & "/Power Users") Set objUser = GetObject("WinNT://" & objNet.UserDomain & "/" & strComputer) objGroup.Add(objUser.ADsPath) Set objNet = Nothing I had to script this for 30 new machines i was setting up.Basically what i done was automated it so when the image was recovered it automatically logged into the local admin account then fetched a script. Script included the code from pricklypoo's link. Then at the end it added the user to power users. (installed software silently etc) Then restarted the PC. That wouldn't work very well with our processes. We're constantly adding reimaging systems or changing system names when people leave and replacements are hired. Typically our desktop techs reimage the machine off the network and then take the system to the user and join it to the domain for them there while they wait. Since we're pretty restrictive with names we have to delete the old one before the new one is joined. Link to comment Share on other sites More sharing options...
Marshalus Veteran Posted January 14, 2008 Author Veteran Share Posted January 14, 2008 OK the above script works fine if I run it on the machine, while logged in as an administrator but when it attempts to run as a startup script it does not add the users to the group. Any ideas? Link to comment Share on other sites More sharing options...
Marshalus Veteran Posted January 14, 2008 Author Veteran Share Posted January 14, 2008 I think I figure it out, the script is attempting to run as the local administrator on the machine, which does not have permission to poll active directory to add the network accounts. Anyone know how to feed the script AD credentials to look for the user? Link to comment Share on other sites More sharing options...
Joel Posted January 14, 2008 Share Posted January 14, 2008 c&p from another site, so let me know if it works: Better than script, try to investigate into Restricted Groups Group Policy setting. It is located in Computer Configuration/Windows Settings/Security Settings It basically prescribes local Group membership on the computers to which this GPO applies. Link to comment Share on other sites More sharing options...
Marshalus Veteran Posted January 15, 2008 Author Veteran Share Posted January 15, 2008 I already use Restricted Groups for my Administrators group to only allow domain admins, the local admin account, and what we call "techadmins" who are our Helpdesk and Desktop Support techs. This prevents our techs from giving people admin access and forgetting to take it away. (usually our helpdesk has this problem) I'm not really worried about "restricting" the Power User groups, more about helping make sure the people who are suppose to be there, are there, on a machine by machine basis. Restricted groups would only be helpful if I wanted to give all domain users Power User level on every machine in the OU that it applies... which I sure as hell don't ;) (I don't even like giving them Power User to their machine) Link to comment Share on other sites More sharing options...
Marshalus Veteran Posted January 15, 2008 Author Veteran Share Posted January 15, 2008 I got it sorted this morning. It turns out that the "objNet.UserDomain" string doesn't phrase right if its not loaded as a domain user, so I replaced that with our domain name. I would have liked for the script to just know the domain, but we only have one domain and unless we change names I don't see the domain name changing ;) I also modified the script to add the user to the Remote Desktop and Network Config groups as well. Final product: Dim objNet On Error Resume Next Set objNet = CreateObject("WScript.Network") If err.Number <> 0 Then ' do nothing on error just keep moving along err.Clear End if strComputer = objNet.ComputerName Set objGroupPU = GetObject("WinNT://" & strComputer & "/Power Users") Set objGroupNC = GetObject("WinNT://" & strComputer & "/Network Configuration Operators") Set objGroupRU = GetObject("WinNT://" & strComputer & "/Remote Desktop Users") Set objUser = GetObject("WinNT://DOMAINNAME/" & strComputer) objGroupPU.Add(objUser.ADsPath) objGroupNC.Add(objUser.ADsPath) objGroupRU.Add(objUser.ADsPath) Set objNet = Nothing Just throw it in a .vbs file and be on your way. Link to comment Share on other sites More sharing options...
Recommended Posts