Need to create a script that can add domain users to local admin group, Where should I start?

MeepZero · August 8, 2012

I'm trying to build a script or function to integrate into my master script so after I run this on the client machine, it will rename and add itself to the domain. It also needs to add a couple users to the local admin group in Windows 7. So far I've been able to build something that navigates through the windows UI and takes care of adding to the domain, but now I'm hung up on adding users to the local admin group. I thought about just manually mapping out mouseclicks and trying to get it to run that way, but I'm hoping there is an easier way somehow.

Is there a way to add a user to the local admin group without needing to reboot the machine first? I've tried using "net localgroup" but that seems to not work if you run it after both renaming and adding a machine to the domain. It does work if you only add the machine and not rename it but that creates new problems that I really don't want to deal with.

water · August 8, 2012

You have already solved the part of adding your machine to the domain. So just as an info: My Active Directory UDF has all Active Directory related functions you need.

IIRC you will find some threads on the forum how to add a user to the local admin group.

MeepZero · August 9, 2012

I've looked into the AD UDF, but I'm not entirely sure how to use it. I think I want to use the _AD_AddUserToGroup item, but from reading through it it sounds like this is something that needs to run on the server, this needs to run on the workstation after the machine has been renamed and added to the domain, but before the first reboot.

Digging around in the forums hasn't yielded the best results for me, its difficult to find something that does all of this on the local machine.

MeepZero · August 9, 2012

Here's what I have so far, I'm getting hung up on calling up the properties window for the admin group. The local users and groups panel is weird and sluggish to launch, maybe there's a better way to call up the properties of the local admin group somehow?

That module stuff is something I put in so I can plug this in as a function to another script while still leaving this one intact.

AutoItSetOption("TrayIconDebug",1)

Global $module, $OutOWNER

If $module = 0 Then
   AutoItSetOption("WinTitleMatchMode" ,2)
   AddLocalAdmin()
EndIf

Func AddLocalAdmin()

ShellExecute("lusrmgr.msc")
$uWhndLUG = WinWait("lusrmgr - [Local Users and Groups (Local)")
WinWaitActive($uWhndLUG)
ControlSend($uWhndLUG,"",12785,"g")
WinWait($uWhndLUG,"Local Users and Groups (Local)Groups")

Sleep(2500)
ControlSend($uWhndLUG,"",12786,"Admin{enter}")

WinWait("Administrators Properties") ; Waiting for admin properties box to appear
ControlClick("Administrators Properties","",1168)

WinWait("Select Users, Computers, Service Accounts, or Groups")
ControlSend("Select Users, Computers, Service Accounts, or Groups","",214,$OutOWNER &amp; "{enter}")

WinWaitActive("Administrators Properties")
ControlClick("Administrators Properties","",1168)

WinWait("Select Users, Computers, Service Accounts, or Groups")
ControlSend("Select Users, Computers, Service Accounts, or Groups","",214,"ANOTHERGROUP{enter}")

;Might need something in here to catch a popup for duplicate entries will probably be like...
;If WinExists("Local Users and Groups"," is already in the list.") Then
; Close it

WinWaitActive("Administrators Properties")
ControlClick("Administrators Properties","",1)
WinClose($uWhndLUG)

EndFunc

Edited August 9, 2012 by MeepZero

water · August 9, 2012

My AD UDF only has functions to work with the Active Directory. I mentioned it just as info because you've already finished this part.

When searching the forum you will find threads like which give you at least an idea how to work with the relevant objects.

skysel · August 9, 2012

maybe you could implement integrated windows command: "net localgroup administrators domainuser.name /add" :-)

MeepZero · August 9, 2012

maybe you could implement integrated windows command: "net localgroup administrators domain\user.name /add" :-)

I had it set up for this actually, but I can't make it work because there is a limitation where once you rename and add a machine to the domain, you must reboot before being able to use this command. I want to do all of this before rebooting.

My AD UDF only has functions to work with the Active Directory. I mentioned it just as info because you've already finished this part.
When searching the forum you will find threads like which give you at least an idea how to work with the relevant objects.

I'll take a look at the link there, it might be helpful in making this work.

Javik · August 9, 2012

Personally, I do not like having certain attributes burned into the clients for all eternity when those attributes could instead be managed through the domain directory. Use the directory, that's why it is there.

In your domain, you create a custom group and put users or other domain groups in it. You can have as many or as few of these custom security groups as you like, for granular security control:

DOMAINLocal-PC Admins - Finance Dept

DOMAINLocal-PC Admins - Sales Dept

DOMAINLocal-PC Admins - Engineering Dept

On each local-computer where you want these accounts to have rights, add their particular domain group to the local-computer Admininistrators group. Only finance computers have "DOMAINLocal-PC Admins - Finance Dept" assigned, etc.

Want a universal access group? You don't need to touch the clients again to set that up.

Group:

- DOMAINLocal-PC Admins - ALL

Members:

- DOMAINFred-the-admin

Member of:

- DOMAINLocal-PC Admins - Finance Dept

- DOMAINLocal-PC Admins - Sales Dept

- DOMAINLocal-PC Admins - Engineering Dept

And so, if at some point you should ever want to add more or revoke those permissions on the clients, it is a simple matter of changing the domain group memberhips, and all the clients are automatically and immediately updated.

MeepZero · August 10, 2012

Unfortunately, this isn't an option for me. I'm on the desktop support side of the company and we don't have access to the group policy settings from our side.

Whats really frustrating about this, is I can manually (or through a script, though the script is kinda random) go and change the local admin group to contain the needed users / groups and all it does is ask me for my login. It only seems to throw a fit when I try to do it via the command line. I can reboot the machine and it works fine, but the goal here is to do everything (domain add, machine rename, local groups, install apps, etc) in a single pass without either needing multiple reboots OR needing to log in as myself to handle the rest of the setup.

I think I might have better luck if I can pull up just the properties box of the local administrators group somehow and bypass the lusrmgr.msc screen. I've searched around for this but I haven't had the best luck with finding that either.

Edited August 10, 2012 by MeepZero

Sign In

Need to create a script that can add domain users to local admin group, Where should I start?

Recommended Posts

MeepZero

water

MeepZero

MeepZero

water

skysel

MeepZero

Javik

MeepZero

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

AutoIt Resources

Release

Beta