Login  | |
|
 |
Controling local Administrator Group Membership thought... - 6/17/2008 12:57:58 PM
|
|
 |
|
| |
shayro.mendez
Posts: 3
Score: 0
Joined: 6/17/2008
Status: offline
|
I need a script that the idea is to run it from or through a startup GPO, that from list of people I give it from a file.xls excel Check me whether the users of that list belong to the group of local administrators of the PC, if is in the list and is in this group do not touch it , but if is on the Group andi s not in the list delet the user.
To do it only with users in this group ,not with global groups, such as global ,because I have the domain admins group and a support group there too
Actually what I'm looking for is a script that works as a checklist, with restricted groups y dosent work like i want, I cleans the local group of administrators every time the GPO is applied and this does not help, at least it not works well in Windows 2000 server, I believe that in 2003 this way is corrected, but for now I can not migrate, and if the user is not on the list who consults the script, clears the user from the group, and now that I'm thinking, it should also be associated the user whit the PC name where the user is administrator,
or through the macaddres of the PC
Let's see if I explain better, I want the script crosses the list of group members and local administrators ,who collate against a list given in Excel user (RACF) and the name of macaddress PC or PC name, user / s Excel from the list in the local administrators group
.
Clean group of local administrators, I need to clean up whit a criteria, list of users that i have from,file.xls check must be dual status ,because it must be associated to name of the machine or Mac Address, so check dual status on the list, put 2 fields, user name and PC name or Mac Address, becouse if not theuser on the list became Administrator on all ,and I want a user on a in particular machine.
|
|
| |
|
|
|
|
RE: Controling local Administrator Group Membership tho... - 6/17/2008 1:15:48 PM
|
|
|
|
| |
dm_4ever
Posts: 2593
Score: 46
Joined: 6/29/2006
From: Orange County, California
Status: offline
|
So what have you done so far?
If you came in hopes that someone would simply write a script for you....this is the wrong place.....I'd like to have a lot of $$ but that is not happening.
_____________________________
dm_4ever
My philosophy: K.I.S.S - Keep It Simple Stupid
Read Me: http://www.visualbasicscript.com/m_24727/tm.htm
Frequently Asked Stuff: http://www.visualbasicscript.com/m_47117/tm.htm
|
|
| |
|
|
|
|
RE: Controling local Administrator Group Membership tho... - 6/17/2008 1:37:44 PM
|
|
|
|
| |
shayro.mendez
Posts: 3
Score: 0
Joined: 6/17/2008
Status: offline
|
******************** Started processing ********************
*** Enumerating accounts in Administrators group ***
Member of Administrators group: Administrator
SID of the account (if ending with F4010000 then it's local Administrator):
01050000000000051500000043170A327973DD0675B97554F4010000
*** Administrator Account Found ***
*** Administrator password reset ***
*** Administrator account renamed ***
Member of Administrators group: Marcin.Policht
Member of Administrators group: S-1-5-21-1993962763-413027322-1607980848-519
Member of Administrators group: Domain Admins
Member of Administrators group: Enterprise Admins
*** Adding global groups to Administrators group ***
*** Adding MyDomain\Desktop Admins to Administrators group ***
*** MyDomain\Desktop Admins added successfully to Administrators group ***
*** Adding MyDomain\Domain Admins to Administrators group ***
*** MyDomain\Domain Admins added successfully to Administrators group ***
******************** Finished processing PCTEST001 ********************
******************** Finished processing ********************
And below is the content of the script. Change the values of the variables strLocalGroup, strNewAdminName, strPassword, strPCFile, strLogFile, and strGlobalAdminGroups to match your requirements, save the modified contents as ManageLocal.vbs (or whatever other name you deem appropriate) and execute it by running:
cscript //nologo ManageLocal.vbs
Option Explicit
On Error Resume Next
'********************************************************************************************************
'*** SID for the Administrator's account is equal to S-1-5--500
'*** 500(decimal) translates into 000001F4(hex), which in the little endian notation becomes F4010000
'*** This value is stored in the HEX_500_LE constant
Const HEX_500_LE = "F4010000"
Const ADS_SID_WINNT_PATH = 5
Const ADS_SID_HEXSTRING = 1
Const NO_OVERWRITE = TRUE 'used by CreateTextFile of the FileSystemObject
Const FOR_READING = 1 'used by Scripting.FileSystemObject methods
Const SEP = 20 'used as separator in output listing
Dim strLocalGroup 'name of local group whose membership is to be modified
' (e.g. "Administrators")
Dim objLocalGroup 'object representing local group whose membership is to be modified
Dim strNewAdminName 'new name to be assigned to local Administrator account
' (e.g. "SomeoneElse" in our example)
Dim strPassword 'new password to be set for local Administrator account
' (e.g. "Pa$$w0rd" in our example)
Dim strLogFile 'name of the file containing script logging information
Dim strPCFile 'name of the file containing list of target computers
Dim objLogFile 'object representing log file
Dim objPCFile 'object representing file containing list of target computers
Dim strGlobalAdminGroups 'semicolon-separated list of global groups to be added to the local group
'each group is in form DOMAIN_NAME/GLOBAL_GROUP_NAME
Dim arrGlobalAdminGroups 'array of global groups to be added to the local group
'each group is in form DOMAIN_NAME/GLOBAL_GROUP_NAME
Dim arrGlobalAdminGroup 'helper array containing two elements: domain name and global group name
Dim objUserEnv 'object used to access set of User environment variables
Dim strTempFolder 'name of the temporary folder (where the log file is stored)
Dim strComputer 'name of a target computer
Dim objComputer 'object representing the target computer
Dim blnAdminFound 'used to determine if the administrator's account has been found
Dim objLocalAdmin 'object representing member of the target local group
Dim objSID 'object referencing SID of the local Administrator account
Dim strSIDHex 'hexadecimal representation of the SID of the local Administrator account
Dim intCount 'loop counter
Dim objFSO, objShell 'Scripting.FileSystemObject and Wscript.Shell objects
strLocalGroup = "Administrators"
strNewAdminName = "SomeoneElse"
strPassword = "Pa$$w0rd"
strPCFile = "PCList.txt"
strLogFile = "SetLocalAdmins.LOG"
strGlobalAdminGroups = "MyDomain\Desktop Admins;MyDomain\Domain Admins"
arrGlobalAdminGroups = Split(strGlobalAdminGroups,";")
'********************************************************************************************************
'*** create log file in the TEMP folder
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("WScript.Shell")
Set objUserEnv = objShell.Environment("USER")
strTempFolder = objShell.ExpandEnvironmentStrings(objUserEnv("TEMP"))
Set objLogFile = objFSO.CreateTextFile(strTempFolder & "\" & strLogFile, NO_OVERWRITE)
If Err.Number <> 0 Then
WScript.Echo "Failed to create the log file. Terminating ..."
WScript.Quit
End If
objLogFile.WriteLine("Started logging at " & Now())
objLogFile.WriteLine()
'********************************************************************************************************
'*** open file containing list of PC names
Set objPCFile = objFSO.OpenTextFile(strPCFile, FOR_READING)
If Err.Number <> 0 Then
WScript.Echo "Failed to access the PC listing file. Terminating ..."
WScript.Quit
End If
'********************************************************************************************************
'*** for each PC listed in the file :
'*** rename local admin account,
'*** change password,
'*** add global groups to the local group
Do While NOT objPCFile.AtEndOfStream
strComputer = objPCFile.ReadLine
blnAdminFound = FALSE 'indicates whether local Administrator account has been found
WScript.Echo String(SEP,"*") & " Started processing " & strComputer & " " & String(SEP,"*")
objLogFile.WriteLine String(SEP,"*") & " Started processing " & strComputer & " " & String(SEP,"*")
objLogFile.WriteLine()
'********************************************************************************************************
'*** Enumerate local admin accounts
Set objLocalGroup = GetObject("WinNT://" & strComputer & "/" & strLocalGroup)
objLogFile.WriteLine("*** Enumerating accounts in " & strLocalGroup & " group ***")
objLogFile.WriteLine()
For Each objLocalAdmin In objLocalGroup.Members
objLogFile.WriteLine("Member of " & strLocalGroup & " group: " & objLocalAdmin.Name)
'****************************************************************************************************
'*** Get SID Information, based on it find local Administrator account
'*** SID for the Admistrator's account is equal to S-1-5--500
If (NOT blnAdminFound) Then
Set objSID = CreateObject("ADsSID")
objSID.SetAs ADS_SID_WINNT_PATH, "WinNT://" & strComputer & "/" & _
objLocalAdmin.Name & ",user"
strSIDHex = objSID.GetAs(ADS_SID_HEXSTRING)
objLogFile.WriteLine("SID of the account (if ending with F4010000 then " & _
"it's local Administrator): " & vbCrLF & strSIDHex)
If (strComp(Right(strSIDHex, 8), HEX_500_LE, vbTextCompare) = 0) Then
objLogFile.WriteLine("*** Administrator Account Found ***")
'************************************************************************************************
'*** Reset the password for the local Administrator account
objLocalAdmin.SetPassword(strPassword)
If Err.Number = 0 Then
objLogFile.WriteLine("*** Administrator password reset ***")
Else
objLogFile.WriteLine("*** Problems resetting Administrator password ***")
objLogFile.WriteLine("*** Error :" & Err.Number & " " & Err.Description & " ***")
End If
'************************************************************************************************
'*** Rename the username to Administrator
Set objComputer = GetObject("WinNT://" & strComputer)
objComputer.MoveHere objLocalAdmin.AdsPath, strNewAdminName
If Err.Number = 0 Then
objLogFile.WriteLine("*** Administrator account renamed ***")
Else
objLogFile.WriteLine("*** Problems renaming Administrator account ***")
objLogFile.WriteLine("*** Error :" & Err.Number & " " & Err.Description & " ***")
End If
blnAdminFound = TRUE
End If
End If
Next
'****************************************************************************************************
'*** Add global groups to local Administrators
objLogFile.WriteLine()
objLogFile.WriteLine("*** Adding global groups to " & strLocalGroup & " group ***")
objLogFile.WriteLine()
For intCount = 0 To UBound(arrGlobalAdminGroups)
objLogFile.WriteLine("*** Adding " & arrGlobalAdminGroups(intCount) & " to " & _
strLocalGroup & " group ***")
arrGlobalAdminGroup = split(arrGlobalAdminGroups(intcount), "\")
objLocalGroup.Add("WinNT://" & arrGlobalAdminGroup(0) & "/" & arrGlobalAdminGroup(1))
If Err.Number = 0 Then
objLogFile.WriteLine("*** " & arrGlobalAdminGroups(intCount) & _
" added successfully to " & strLocalGroup & " group ***")
Else
Set objGroup = GetObject("WinNT://" & arrGlobalAdminGroup(0) & "/" & _
arrGlobalAdminGroup(1))
If objGroup.IsMember(objLocalGroup.aDSPath) Then
objLogFile.WriteLine("*** The group " & arrGlobalAdminGroups(intCount) &
_
" is already a member of " & strLocalGroup & " group ***")
Else
objLogFile.WriteLine("*** Problems adding " & arrGlobalAdminGroups(intCount) & _
" to " & strLocalGroup & " group ***")
objLogFile.WriteLine("*** Error :" & Err.Number & " " & Err.Description & " ***")
End If
End If
Next
WScript.Echo String(SEP,"*") & " Finished processing " & strComputer & " " & String(SEP,"*")
objLogFile.WriteLine()
objLogFile.WriteLine(String(SEP,"*") & " Finished processing " & strComputer & " " & String(SEP,"*"))
objLogFile.WriteLine()
Loop
objLogFile.WriteLine(String(SEP,"*") & " Finished processing " & String(SEP,"*"))
objLogFile.Close
objPCFile.Close
|
|
| |
|
|
|
|
RE: Controling local Administrator Group Membership tho... - 6/17/2008 2:27:30 PM
|
|
|
|
| |
dm_4ever
Posts: 2593
Score: 46
Joined: 6/29/2006
From: Orange County, California
Status: offline
|
1. Well since you will be deploying this via a GPO it may be safer to stick to a csv files since it is plain text and who knows if all machines have excel.
2. To work with a CSV file you will need to read the content using FileSystemObject (plenty of examples around)
3. You would use the Split function to split the text lines using the comma as the separator
I'm still a bit confused on your request.
You're trying limit the members of certain groups which is different for different computers? This sounds a bit confusing and you may just start with thinking of a logical association before you start with the code.
_____________________________
dm_4ever
My philosophy: K.I.S.S - Keep It Simple Stupid
Read Me: http://www.visualbasicscript.com/m_24727/tm.htm
Frequently Asked Stuff: http://www.visualbasicscript.com/m_47117/tm.htm
|
|
| |
|
|
|
| |
|
|
 |
|
 |
|
|
Printable Version
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread