'NAME: UpdateLocalAdmin.vbs 'KEYWORDS:ADSI,Administrators,WinNT,Group 'Jeffery Hicks MCSE, MCT, MCSA 'jhicks@jdhitsolutions.com 'http://jdhitsolutions.blogspot.com 'http://www.jdhitsolutions.com 'USAGE: cscript|wscript UpdateLocalAdmin.vbs 'NOTES: This script will update the local administrator group With 'users and groups found in the DESCRIPTION field of the computer object In 'Active Directory. Users and groups should be in the format domain\name 'And separated by commas. 'Obviously, you need local administrative credentials to run this script. 'One recommended method is to run this as a computer startup script 'specifying a user or group as a runtime parameter. 'Results and errors will be recorded in the local application log. 'VERSION HISTORY ' 1.1 02/21/2007 ' fixed bug in finding computer distinguished name ' 1.0 11/24/2006 'LICENSE ' This program is free software; you can redistribute it and/or modify ' it under the terms of the GNU General Public License as published by ' the Free Software Foundation; either version 2 of the License, or ' (at your option) any later version. ' This program is distributed in the hope that it will be useful, ' but WITHOUT ANY WARRANTY; without even the implied warranty of ' MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ' GNU General Public License for more details at ' HTTP://www.gnu.org/licenses/gpl.txt ' ********************************************************************************* ' * DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED IN A SECURED LAB * ' * ENVIRONMENT. USE AT YOUR OWN RISK. * ' ********************************************************************************* Option Explicit Dim objNetwork,strComputer,strDN Dim objComputer Dim objShell,strMsg Dim objLocalAdmins,memberList,member Dim AddedUsers,arrAddedUsers,x Dim objItem,itemPath 'Event log constants Const SUCCESS=0 Const ERROR=1 Const WARNING=2 Const INFORMATION=4 ON ERROR RESUME Next Set objShell=CreateObject("WScript.Shell") Set objNetwork=CreateObject("WScript.Network") strComputer=objNetwork.ComputerName strDN=GetDN(strComputer) If strDN="NotFound" Then strMsg= "Failed to find computer account for " & strComputer objShell.LogEvent ERROR,strMsg Else Set objComputer=GetObject("LDAP://" & strDN) 'if nothing is defined for description, then bail out of script If objComputer.Description="" Then WScript.Quit 'Continue processing Description AddedUsers=objComputer.Description Set objLocalAdmins=GetObject("WinNT://" & strComputer & _ "/Administrators,Group") 'uncomment next lines for debug information or to list current members ' Set memberList=objLocalAdmins.Members ' For Each member In memberList ' WScript.Echo member.name ' Next 'Split entries into an array arrAddedUsers=Split(AddedUsers,",") 'enumerate the array For x=0 To UBound(arrAddedUsers) 'uncomment for debugging 'WScript.Echo "Adding " & arrAddedUsers(x) 'change format from domain\user to domain/user so we 'can reuse in the GetObject command 'Note: It is possible to add a user or group without 'specifying a domain name. However, specifying a domain 'removes any ambiguity or the possibility of adding the 'wrong user or group. itemPath=Replace(arrAddedUsers(x),"\","/") 'Get object Set objItem=GetObject("WinNT://" & itemPath) 'if user not found, then record an error If objItem.ADSPath="" Then strMsg= "Could not add WinNT://" & itemPath &_ " to the local administrator's group." & VbCrLf &_ "Error #" & Hex(Err.Number) &" " & Err.Description objShell.LogEvent ERROR,strMsg Else 'otherwise 'uncomment for debugging 'wscript.echo "Adding " & itemPath 'Take ADSpath and add to local administrators group Err.Clear objLocalAdmins.Add objItem.ADSPath objLocalAdmins.SetInfo If Err.Number<>0 Then 'gracefully handle error if user already exists if Hex(Err.Number)=80070562 Then 'uncomment for debugging 'wscript.echo "WinNT://" & itemPath & " is already a member." Else 'error handling just in case something goes wrong strMsg="Failed to add WinNT://" & itemPath &_ " to the local administrator's group." & VbCrLf &_ "Error #" & hex(Err.Number) &" " & Err.Description objShell.LogEvent WARNING, strMsg 'uncomment for debugging 'WScript.Echo strMsg End If Else 'successfully added entry strMsg="Added WinNT://" & itemPath &_ " to the local administrator's group." objShell.LogEvent SUCCESS, strMsg 'uncomment for debugging 'WScript.Echo strMsg End If End If Next End If Function GetDN(samAccount) 'Given NT4 account name, find the distinguished name for the computer account On ERROR Resume Next Dim RootDSE,myDomain,cat Dim conn,cmd,RS Dim strQuery,obj,GC GetDN="NotFound" set RootDSE=GetObject("LDAP://RootDSE") set myDomain=GetObject("LDAP://"&RootDSE.get("DefaultNamingContext")) strQuery="Select CN,distinguishedname from '" & _ myDomain.ADSPath & "' Where objectclass='computer'" & _ " AND CN='" & samAccount & "'" set cat=GetObject("GC:") for each obj in cat set GC=obj Next Set conn=Createobject("ADODB.Connection") set cmd=CreateObject("ADODB.Command") conn.Provider="ADSDSOObject" conn.Open "Active Directory Provider" cmd.ActiveConnection=conn cmd.Properties("Page Size") = 100 cmd.Properties("asynchronous")=True cmd.Properties("Timeout") =30 cmd.Properties("Cache Results") = false cmd.CommandText=strQuery set RS=cmd.Execute do while not RS.EOF GetDN=rs.Fields("distinguishedname") rs.movenext Loop rs.Close conn.Close End Function 'EOF