Prev: Map Network Drive with Remember Password
Next: Burner available ?
From: Dave on 10 Jun 2008 12:42
I run a script locally when I'm setting up a machine that adds a domain group
to the local administrators group. I use the following:

strComputer = "computer"
Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
Set objGroup = GetObject("WinNT://domain1/techsupport")
objAdmins.Add(objGroup.ADsPath)

This works fine when I'm logged in with a domain account. but thre may be
times when a users machine is on the domain. but they can only log in with a
local user account. The functions above fails because I'm assuming the local
account doesn't have rights to read Active Directory.

"the network path was not found"

Is there some way I can prompt for a password and then supply that along
with the script to authenticate. I have no control over the server so that's
not an option. Thanks.
From: Richard Mueller [MVP] on 10 Jun 2008 13:13
Dave wrote:

>I run a script locally when I'm setting up a machine that adds a domain
>group
> to the local administrators group. I use the following:
>
> strComputer = "computer"
> Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
> Set objGroup = GetObject("WinNT://domain1/techsupport")
> objAdmins.Add(objGroup.ADsPath)
>
> This works fine when I'm logged in with a domain account. but thre may be
> times when a users machine is on the domain. but they can only log in with
> a
> local user account. The functions above fails because I'm assuming the
> local
> account doesn't have rights to read Active Directory.
>
> "the network path was not found"
>
> Is there some way I can prompt for a password and then supply that along
> with the script to authenticate. I have no control over the server so
> that's
> not an option. Thanks.

First, you could run the script yourself remotely (as long as you a local
administrator, or a member of a group that is, like "Domain Admins"). This
would be preferred. Or, you can use the OpenDSObject method and specify
alternate credentials. You would either hard code the administrator password
or prompt for it. Either way you expose the password. Do you want normal
users to know the password? The code could be:
===========
Const ADS_SECURE_AUTHENTICATION = &H1
Const ADS_USE_ENCRYPTION = &H2

' Specify credentials (or prompt for this).
strUser = "Administrator"
strPassword = "xYz$312q"

' Specify computer (or read from wshNetwork object
' if this is the local computer).
strComputer = "TestComputer"

' Bind to the local Administrators group with alternate credentials.
Set objNS = GetObject("WinNT:")
Set objLocalAdmins = objNS.OpenDSObject("WinNT://" & strComputer _
& "/Administrators,group", strUser, strPassword, _
ADS_SECURE_AUTHENTICATION Or ADS_USE_ENCRYPTION)

' Bind to domain group.
Set objDomainGroup = GetObject("WinNT://MyDomain/TechSupport,group")

' Check if already a member.
If (objLocalAdmins.IsMember(objDomainGroup.AdsPath) = False) Then
' Add the domain group to the local group.
objLocalAdmins.Add(objDomainGroup.AdsPath)
End If
====
Note this is credentials of a local user, or a member of the local
Administrators group (such as a member of "Domain Admins")

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


From: Dave on 10 Jun 2008 13:59
Thanks Richard. I have a script that each of our support team members run on
each and every machine that we work on. The group I want to add is a domain
group that our support group is located. If the user is logged in with their
domain account then what I posted will work fine. Any domain user has rights
to add any other domain user to their local admin group without prompting for
credentials.
Running the script remotely will not work for 2 reasons. 1) our group does
not have admin rights at that point, so that's why we're adding our group. 2)
I want to incorporate this into the script that we always run on each machine.

The situation that worries me, and is most likely, is if the tech runs the
script while logged on as a local user. The user is always with the tech at
the time of running the script because the tech needs to get the users phone
number and some other information, so inputting their domain user name and
password in plain text would be a problem.


"Richard Mueller [MVP]" wrote:

> Dave wrote:
>
> >I run a script locally when I'm setting up a machine that adds a domain
> >group
> > to the local administrators group. I use the following:
> >
> > strComputer = "computer"
> > Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
> > Set objGroup = GetObject("WinNT://domain1/techsupport")
> > objAdmins.Add(objGroup.ADsPath)
> >
> > This works fine when I'm logged in with a domain account. but thre may be
> > times when a users machine is on the domain. but they can only log in with
> > a
> > local user account. The functions above fails because I'm assuming the
> > local
> > account doesn't have rights to read Active Directory.
> >
> > "the network path was not found"
> >
> > Is there some way I can prompt for a password and then supply that along
> > with the script to authenticate. I have no control over the server so
> > that's
> > not an option. Thanks.
>
> First, you could run the script yourself remotely (as long as you a local
> administrator, or a member of a group that is, like "Domain Admins"). This
> would be preferred. Or, you can use the OpenDSObject method and specify
> alternate credentials. You would either hard code the administrator password
> or prompt for it. Either way you expose the password. Do you want normal
> users to know the password? The code could be:
> ===========
> Const ADS_SECURE_AUTHENTICATION = &H1
> Const ADS_USE_ENCRYPTION = &H2
>
> ' Specify credentials (or prompt for this).
> strUser = "Administrator"
> strPassword = "xYz$312q"
>
> ' Specify computer (or read from wshNetwork object
> ' if this is the local computer).
> strComputer = "TestComputer"
>
> ' Bind to the local Administrators group with alternate credentials.
> Set objNS = GetObject("WinNT:")
> Set objLocalAdmins = objNS.OpenDSObject("WinNT://" & strComputer _
> & "/Administrators,group", strUser, strPassword, _
> ADS_SECURE_AUTHENTICATION Or ADS_USE_ENCRYPTION)
>
> ' Bind to domain group.
> Set objDomainGroup = GetObject("WinNT://MyDomain/TechSupport,group")
>
> ' Check if already a member.
> If (objLocalAdmins.IsMember(objDomainGroup.AdsPath) = False) Then
> ' Add the domain group to the local group.
> objLocalAdmins.Add(objDomainGroup.AdsPath)
> End If
> ====
> Note this is credentials of a local user, or a member of the local
> Administrators group (such as a member of "Domain Admins")
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>
 | 
Pages: 1
Prev: Map Network Drive with Remember Password
Next: Burner available ?