Help, need a VBScript

  • Thread starter Thread starter Clayton Sutton
  • Start date Start date
C

Clayton Sutton

Hey everyone,

We are running a Windows 2003 domain and Win2k and Win2k3 workstations. I
need a vbscript to add a domain acct. to the LOCAL Admin acct. to ALL of our
workstations. Can anyone help by pointing me in the right direction where I
can download that type of script?


TIA,


Clayton
 
Hey RC,

Thanks for the reply. However, can you explain a little more? I know how
to do GPOs, I just need a little more info. from you.


Clayton
 
Where would I do it at?


Clayton


Clayton Sutton said:
Hey RC,

Thanks for the reply. However, can you explain a little more? I know how
to do GPOs, I just need a little more info. from you.


Clayton
Click to expand...
 
In
Clayton Sutton said:
Hey everyone,

We are running a Windows 2003 domain and Win2k and Win2k3
workstations. I need a vbscript to add a domain acct. to the LOCAL
Admin acct. to ALL of our workstations. Can anyone help by pointing
me in the right direction where I can download that type of script?


TIA,


Clayton
Click to expand...

You can either use restricted groups (see
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=5319 for some help)

....or you could use a computer startup script assigned via group policy -
such as a simple batch file using
net localgroup Administrators DOMAIN\user_or_group /add
 
You could use the restricted user group gpo setting

computer configuration \ windows settings \ restricted groups

group = your group to be made local admins
member of = BUILTIN\Administrators

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.microsoft.com/technet/pr...Ref/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx
http://www.microsoft.com/resources/...all/proddocs/en-us/sag_scerestrictgroups.mspx

There is absolutely nothing that has to be done on the client side.

Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
 
How about "except" servers? What if I only want to do this to Workstations?
That way I can just setup an acct. for our help desk that they could use to
log into workstations but NOT be able to log into my servers!


Clayton
 
No problem. Scope and/ or filter the GPO to only apply to computers.

Also consider modifying the logon locally right on the servers in question
as by default a user can logon to a member server interactively.
 
I see in Group Policy Management Console if I edit the GPO I can click on
the "Scope" tab. I then see "Authenticated Users" under "Security
Filtering".

Now how do I filter it just to apply to my workstations and NOT my servers?
When I click the "Add..." button and change the "Object Types..." to
"Computers", I don't see an object just for "Workstations".



Clayton
 
In
Clayton Sutton said:
I see in Group Policy Management Console if I edit the GPO I can
click on the "Scope" tab. I then see "Authenticated Users" under
"Security Filtering".

Now how do I filter it just to apply to my workstations and NOT my
servers? When I click the "Add..." button and change the "Object
Types..." to "Computers", I don't see an object just for
"Workstations".


Clayton
Click to expand...

You can link the GPO to just the workstation/laptop OUs. Or deny/allow by
using a WMI filter in the GPO for operating system types.

--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...
 
If you are within scope of a GPO, it applies to you. Without any additional
factors, such as no override, block inheritance or filtering, an object is
within scope if it is a childm grand-child, whatever, of a container that
has a GPO linked to it. Therefore, in the context I described, I was
referring to you linking the GPO to an OU that contains the necessary
workstations and not the servers.

The other option is filtering. If your workstations and servers are in the
same OU, or you are doing this at the site or domain level, you can add
servers to a group and deny that group the ability to apply the GPO.
-- http://www.msresource.net/content/view/15/47/


Note. Filtering is only applicable if the user or computer objects that are
members of the group that you have filtered are within scope. It is of no
consequence where the group in question resides, as GPOs do not apply to
groups.

If you consider scope out of the default context, then if things are
filtered or excluded because of a WMI filter (a WQL query) then these are
also scoped out. The term can be ambiguous under certain circumstances.
 
Back
Top