ADSI Scripting Help needed

[kev_147]

This is the scenario I have to design a script for:

Am logged in as Local Administrator

PC is already joined to Domain

Need to add Domain\ICT-Desktop Support to Local Administrators Group.

Need to remove Domain\Domain Admins from Local Administrators Group.

I have tried a couple of ADSI Scripts, but get an error saying that network path cannot be found or a General Access Denied error.

I think I need to try and find out how you can bind to the Active Directory and then back to the Local PC in the same script. For example bind to AD with a specific user account to GetObject on the ICT-Desktop Support Group and then to bind to the Local administrators group with the local administrators account to add the domain group to the local group.

I am getting near to tearing my hair out over this problem, have spent days looking at forums, scripting sites with no joy. You guys are my last hope

[RogueSpear]

I am not really able to sit down and develop any sample code for you because I have so many ongoing projects at the moment, however I will point to some of the tools that I use. First, a book called The Windows 2000 Scripting Bible, published by McGraw Hill has some excellent introductory ADSI material. There is a VBscript book published by Wrox that is excellent as well and contains some more detailed and advanced ADSI topics. Then there is the Microsoft tool ADSIscriptomatic that will generate some sample code for you.

Keep in mind that ADSI is a very deep and complex topic - more so than WMI in my opinion. What you are looking to do is fairly simple, but I think that you're going to need to understand some of the basics first before you'll be successful in creating the script. Given a little time and research I'm sure that you'll have no problems with it.

[gunsmokingman]

I do noy know if this will help but check out these links there may be some thing there to help you.

The Hey, Scripting Guy! Archive: Local/Windows NT 4.0 Accounts

The Hey, Scripting Guy! Archive: Active Directory

[allen2]

Did you tried a simple batch file like this:

net localgroup administrators "Domain\ICT-Desktop Support"  /add
net localgroup administrators "Domain\Domain Admins" /delete

[kev_147]

Thanks for the replies guys.

RogueSpear, shame you can't draw up some sample code. I really appreciate the suggestions though, will look into them.

GSH, I have searched that website and some of it seems relevant, but not exacly what I am looking for I am afraid.

Allen2, I may use this method as a workaround as I know it works, but I ideally want to use ADSI to tie in with the rest of my script and for a future project I also need to learn howto run ADSI under different credintials so if I can work it out, will be killing 2 birds with 1 stone.

I will go off and try and learn about ADSI and will post back if I work it out.

[imric]

I'm not sure what you're exactly trying to do but here is a script that should do it:

Option Explicit
'On Error Resume Next
Dim strComputer, strUser, strGroup
Dim objGroup, objUser

strComputer = InputBox("Please enter a computer to connect to:", "Enter Computer Name")
strGroup = "Administrators"

'Add ICT-Desktop Support to the administrators group.
strUser = "ICT-Desktop Support"

Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup)
Set objUser = GetObject("WinNT://domain/" & strUser) '###change domain to your domain
objGroup.Add (objUser.ADsPath)

'Remove Domain Admins from the administrators group.
strUser = "Domain Admins"

Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup)
Set objUser = GetObject("WinNT://domain/" & strUser) '###change domain to your domain
objGroup.Remove (objUser.ADsPath)

Wscript.Echo "Done."

[kev_147]

Thanks for the reply imric and I am sorry I have only just managed to reply. Have been off work for a week or so.

Have just tried your solution and it works a treat if you are already authenticated on the domain, but it is unable to find the network object if you are not authenticated on the domain.

I need the script to work with my logged in locally to the PC as administrator, ie I wont have authenticated onto the domain at all. Can ADSI authenticate onto the domain for me with the relevant encryption?

[imric]

Did you try to run the file using the runas command? Perhaps creating a batch file to call the .vbs will do what you want? Here's an example:

runas /profile /user:domain\username "cscript.exe c:\vbscript.vbs"

Edited August 2, 2006 by imric

[kev_147]

that would work, but I just thought there may of been a way within adsi itself to authenticate.

Its weird that you don't have to do none of this using the crappy old dos command of net localgroup

I think I will stick with this for now, but thanks anyway for all your help