VBS for Adding User to Local Admin Group
Posted by Jarvis on October 28, 2009
Scott sent me this question via the contact form on my blog:
I saw a post you made about using PowerShell to add a domain user to a local administrator group during a task sequence (http://verbalprocessor.com/2008/04/08/add-domain-user-to-local-administrators-group/). I am trying to do the same thing, but don’t necessarily want to incorporate PowerShell at this time. I was hoping to use MDT and the Administrators1 task sequence variable, but this doesn’t seem to work. I have a vbscript that works when run manually, but it can’t connect to the domain to get the user account object when executed via the task sequence. I’ve tried a few different methods to run under a certain service account, but unless that account is an admin, it doesn’t seem to work. You had indicated that you have a VBscript that was doing this successfully. Can I by any chance get a copy of that script? If you have any other suggestions for me, I would welcome that as well. I look forward to hearing from you. Thank you!
I think Scott may have misunderstood what I did in that post. In the post that Scott references I wrote a PowerShell script for running manually after the task sequence is finished to add a domain user to the local admin group of a remote machine. In that post I actually mentioned that I had trouble getting it to work with VBS…even though I was using a Scripting Guys post to try to build the VBS version. I can’t locate the particular Scripting Guys article that I was looking at, but there are several posts related to this from community members at this link.
I did have a VBS that would do this as part of a task sequence that I used at a client earlier this year, however for some reason it stopped working in my demo environment…and I don’t know why. So unfortunately, I don’t have a working VBscript for this that I can share.
Scott said
Hi Jarvis,
Thanks for following up. I actually was able to resolve this issue by using the AD account SID to add to the local group. It’s a little more difficult because now I have to manage all the local admin groups as well as the SIDs, but I have a utility for storing the info in SQL. Then when the task sequence runs, it just pulls the info it needs from there. Here is the code I’m using:
Set WshShell = CreateObject(“WScript.Shell”)
Set Fso = CreateObject(“Scripting.FileSystemObject”)
Set WshNet = CreateObject(“Wscript.network”)
Set oTaskSequence = CreateObject (“Microsoft.SMS.TSEnvironment”)
on error resume next
DomainGroupSID = oTaskSequence(“AdministratorSID”)
set logfile = fso.createtextfile(“C:\windows\temp\AddAdmin.log”)
logfile.writeline “AddAdmin.vbs Results”
logfile.writeline “Executed on ” & now()
logfile.writeline “Local group to add to: WinNT://” & wshNet.ComputerName & “/Administrators,group”
logfile.writeline “Admin group to add winnt://” & DomainGroupSID
set localgroup = GetObject(“WinNT://” & wshNet.ComputerName & “/Administrators,group”)
set admingroup = GetObject(“WinNT://” & DomainGroupSID)
localgroup.add admingroup.adspath
logfile.writeline “Add completed with error code ” & err