Adding to local admin, possible?

Forums

My Profile

Inbox

Address Book

My Subscription

My Forums

Adding to local admin, possible?

Logged in as: Guest

arrSession:exec spGetSession 2,2,53016

	Active Users: There are 0 members and 0 guests.
	Users viewing this topic: none

Printable Version

All Forums >> [Scripting] >> WSH & Client Side VBScript >> Adding to local admin, possible?
Do you like VisualBasicScript.com? Link to us and help spread the word about our forum. Thanks!

Page: [1]

Message

<< Older Topic Newer Topic >>

Adding to local admin, possible? - 10/25/2007 1:09:22 AM

hales

Posts: 13
Score: 0
Joined: 10/21/2007
Status: offline

Hi all,
Complete newbie here, here's my scenario...
Teachers with laptops, I'd like to write a script that will run on login that will add them to the administrators group on the local machine, and also a different script that will remove them from the administrators group (so that they can install programs at home), any ideas if this is possible/realistic?

Not asking for handouts, just if it's possible (and of course if anyone's got any pointers, then that would be great!!), investigated using runas instead (i.e. a runas command and then they pick the executable but can't seem to get it working, so adding them to administrators on the local machine seems the easiest way round it)

Thanks!

Hales

Post #: 1

RE: Adding to local admin, possible? - 10/25/2007 2:04:29 AM

ebgreen

Posts: 5035
Score: 31
Joined: 7/12/2005
Status: online

It certainly is very possible. As a matter of fact you should be able to find copius examples here or through google.

_____________________________

"... when you are good and crazy, oooh, oooh, oooh, the sky is the limit!" - The Tick
Goog places to start:http://www.visualbasicscript.com/m_24727/tm.htm
http://www.visualbasicscript.com/m_47117/tm.htm

(in reply to hales)

Post #: 2

RE: Adding to local admin, possible? - 10/25/2007 4:22:55 AM

hales

Posts: 13
Score: 0
Joined: 10/21/2007
Status: offline

Right, okay, got this so far:
Can add username of logged on person via a batch file using:
net localgroup administrators /add solgrid\%username%
Which adds me to the local admin group but I'm unable to run it as a teacher (who isn't an admin), so tried to write a script to run it as an admin:

Which doesn't seem to work at all, it runs with no errors but doesn't add the logged on user to administrators, is there something wrong with my strCommand line? Or are you just not able to run command line stuff within a script?

(in reply to hales)

Post #: 3

RE: Adding to local admin, possible? - 10/25/2007 5:07:35 AM

ebgreen

Posts: 5035
Score: 31
Joined: 7/12/2005
Status: online

When you are trying to use .Run or .Exec to execute an external command, the way that you quote things is very important. To troubleshoot these issues, it is invaluable to know exactly what command is running so put this line right before the run:

WScript.Echo strCommand

Next take whatever it prints and enter it verbatim at the command line and see what error you get.

_____________________________

"... when you are good and crazy, oooh, oooh, oooh, the sky is the limit!" - The Tick
Goog places to start:http://www.visualbasicscript.com/m_24727/tm.htm
http://www.visualbasicscript.com/m_47117/tm.htm

(in reply to hales)

Post #: 4

RE: Adding to local admin, possible? - 10/26/2007 1:17:04 AM

Rischip

Posts: 502
Score: 2
Joined: 3/26/2007
Status: offline

Have people forgotten that the power users group exists for this purpose?

_____________________________

Rischip
Author of - The Grim Linker

(in reply to ebgreen)

Post #: 5

RE: Adding to local admin, possible? - 10/26/2007 4:33:53 AM

hales

Posts: 13
Score: 0
Joined: 10/21/2007
Status: offline

Invaluable info! Thanks ebgreen!
Problem seems to be
strCommand = "cmd /c c:\scripting\psexec.exe \\" & strComputer & " -i -u " & strAdminUser & " -p " & strAdminPass & " net localgroup administrators /add domain\%username% ""AsAdmin"""

The 2 backslashes as I'm not specifying a remote machine, removed these and seems to execute fine apart from "AsAdmin" doesn't seem to execute properly. This adds my username (which is a domain admin anyway) to the local admin group, however, when I log on with a teacher account it fails with an access is denied message, so doesn't look like psexec is applying the username and password correctly, so a bit more digging for me then!

Rischip - The problem is we don't want these users to have rights over the machine when they are logged onto the domain, so the intention of this script is when they are at home they'll run net localgroup administrators /add and when they log on to the schools network they'll run another script net localgroup administrators /remove

(in reply to hales)

Post #: 6

RE: Adding to local admin, possible? - 10/26/2007 7:10:34 AM

Rischip

Posts: 502
Score: 2
Joined: 3/26/2007
Status: offline

Yeah I get it, my point is that the power users group is designed to allow users to install software without fully allowing them to have admin authority. Also net localgroup /add administrators isn't going to work unless they run it as an admin. So if you have removed them from the admin group during the login script on the domain then they won't be able to run the net localgroup /add command. Also it is a security risk to supply an admin password within a script which will remain on the hard drive. Even if it is only a local admin. One more thing to note. If the admin credentials you are supplying in the script have not logged onto the pc before it was disconnected from the domain they will not be cached and the authentication will fail at home.

The syntax of your command appears to be incorrect in the qoutes.

Is AsAdmin a variable, or is it supposed to be text? I read it as a command line argument to determine whether to run a particular routine. If this is correct then it doesn't belong in the psexec command line

_____________________________

Rischip
Author of - The Grim Linker

(in reply to hales)