The scenario is this, how can I add a domain user or group to the local administrators group of all of my desktops to facilitate a 'desktop support' group admin access to all desktops without giving them domain admin rights. I know a lot of you are thinking, just use group policy and create a restricted group. Well that would work for a very generic and probably small organization. We have a decent sized organization, 1500+ workstations, 90+ Windows servers, and 70+ locations. Well, like many organizations, we have vendors that offer low cost software solutions, but these solutions many times have not been updated to ensure the security of the workstations or servers. The main thing I am talking about is requiring local Admin privileges to run a poorly written application. So I have many desktops out on the network that may or may not have a specific user listed in the local Admin group. As most of you know, using the group policy method with a restricted group, this method actually replaces all users in the local group with the users you specify in the policy, so this was not a good method for our environment. After much thought and experimentation, I came up with a script that can be applied as a computer based startup script in group policy to add a specific domain user or group to the local administrator group of the machines that the policy applies to.
Below is the script, this script also ensures that no one has removed Domain Admins from the local administrators group (which has happened before in my environment). As you can see from the commented lines below, the group I used is called 'WSAdmins', just change this to whatever you want to use and be sure to change the
______________________________________
' Script to add the WSAdmins and Domain Admins domain group to the local administrators group
' These two lines enumerates the computername from the local environment
Set Shell = WScript.CreateObject("WScript.Shell")
strComputer = "."
Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
i = 0
For Each objUser in objAdmins.Members
If objUser.name = "WSAdmins" then
Wadd=1
End If
If objUser.name = "Domain Admins" then
Dadd=2
End If
Next
If Wadd = 0 then
' The next line binds to the local Administrators group and to the grop you wish added
Set objGroup = GetObject("WinNT://<domain>/WSAdmins")
' The last line adds the user to the local Administrators group
objAdmins.Add(objGroup.ADsPath)
Else
' The next line is commented out for testing
'wscript.echo(strComputer & " already has WSadmins")
End If
If Dadd = 0 then
' The next line binds to the local Administrators group and to the group you wish added
Set objGroup = GetObject("WinNT://<domain>/Domain Admins")
' The last line adds the user to the local Administrators group
objAdmins.Add(objGroup.ADsPath)
Else
' The next line is commented out for testing
'wscript.echo(strComputer & " already has Domain Admins")
End If
After you modify the script to work in your environment, just added to a Group Policy Object as a Computer Startup Script. Like I said, this works well in my environment, if you have another way, post a comment and share it with everyone.
Till next time...
RB Out.
