Local Admin Group

[RayMcD]

Let me start off by saying that I am new to AutoIT. I have been working on a way to control the local administrators group on our desktops. Currently"Domain Users" are local admins on every computer and I would like to change this so that only the currently logged on user is a local admin. I have a vb script that works but only if the user is already a local admin. If the user is not a local admin they get access denied when trying to edit the local admin group. I thought AutoIT would allow me to us the RunAs function to add domain users or the local user to the admins group. I have been working on this for a while now and just can't get it to work in AutoIT. I also tried a vbs to AutoIT converter which didn't work for me.

This is what I am trying to accomplish:

1. Define permitted local admins (Administrator, Domain Admins, @UserName)

2. Enumerate the local admin group

3. Check to see if the local admin group matches the permitted admins group

4. If not RunAs admin to add Domain users to the local admin group (So the user can later add themselves)

5. Run as the current user to add @UserName to the admin group if it isnt there

6. Run as the current user to add Domain Admins to the admin group if it isnt there

7. Run as the current user to add the local Administrator to the local admin group if it isnt there

8. Run as the current user to remove Domain Users

This is the vb script that I have which works if you are already a local admin:

' Remove Unapproved Local Administrators.

'vbscript

'** Define Variables

Dim PermittedAdmins' As Array

Dim objNetwork

Dim strUserName

Dim objSrv

strDomain ="Domain"

strDomainAdmins = "Domain Admins"

'** Extract the username

Set objNetwork = WScript.CreateObject("WScript.Network")

strUserName = objNetwork.UserName

'** Define Permited Administrators List

PermittedAdmins = Array("Administrator", "Domain Admins", strUserName)

'** Get Local Administrator Group

Set AdminGroup = GetObject("WinNT://./Administrators, Group")

'** Search for Invalid Members & Remove Them

For Each GroupMember in AdminGroup.Members

Debug.WriteLine GroupMember.Name, GroupMember.Class, IsPermitedAdmin(GroupMember.Name)

If Not IsPermitedAdmin(GroupMember.Name) Then

AdminGroup.Remove GroupMember.ADsPath

End If

'** Add the current user to the local admins group

strComputerName=objNetwork.ComputerName

'** Checking local Administrator group

Set objSrv = GetObject("WinNT://" & strComputerName & "/Administrators,group")

if objSrv.IsMember("WinNT://" & strDomain & "/" & strUserName) then

' wscript.Echo "found " & strDomain & "\" & strUserName

else

' wscript.Echo "not found " & strDomain & "\" & strUserName

' wscript.Echo "Adding WinNT://" & strDomain & "/" & strUserName

objSrv.Add("WinNT://" & strDomain & "/" & strUserName)

end If

'** Add domain admins to the local admins group

if objSrv.IsMember("WinNT://" & strDomain & "/" & strDomainAdmins) then

' wscript.Echo "found " & strDomain & "\" & strDomainAdmins

else

' wscript.Echo "not found " & strDomain & "\" & strDomainAdmins

' wscript.Echo "Adding WinNT://" & strDomain & "/" & strDomainAdmins

objSrv.Add("WinNT://" & strDomain & "/" & strDomainAdmins)

end If

Next

'** Functions *****************************************************************

Function IsPermitedAdmin(MemberName)' As Boolean

Dim i' As Long

For i = LBound(PermittedAdmins) To UBound(PermittedAdmins)

If UCase(MemberName) = UCase(PermittedAdmins(i)) Then

IsPermitedAdmin = True

Exit Function

End If

Next

IsPermitedAdmin = False

End Function

If anyone can help me get this converted to AutoIT it will be appreciated.

Thanks

RayMcD

[Bert]

http://www.autoitscript.com/forum/index.ph...l=Domain+Admins

http://www.autoitscript.com/forum/index.ph...st&p=499954

[RayMcD]

Thanks Volly...

I'll take a look at the examples but I have already seen most of them. Even with all of the examples I just can't get this to work.