The Realm of the Verbal Processor

Jarvis's Ramblings

VBS for Adding User to Local Admin Group

Scott sent me this question via the contact form on my blog:

I saw a post you made about using PowerShell to add a domain user to a local administrator group during a task sequence (https://verbalprocessor.com/2008/04/08/add-domain-user-to-local-administrators-group/).  I am trying to do the same thing, but don’t necessarily want to incorporate PowerShell at this time.  I was hoping to use MDT and the Administrators1 task sequence variable, but this doesn’t seem to work.  I have a vbscript that works when run manually, but it can’t connect to the domain to get the user account object when executed via the task sequence.  I’ve tried a few different methods to run under a certain service account, but unless that account is an admin, it doesn’t seem to work.  You had indicated that you have a VBscript that was doing this successfully.  Can I by any chance get a copy of that script?  If you have any other suggestions for me, I would welcome that as well.  I look forward to hearing from you.  Thank you!

I think Scott may have misunderstood what I did in that post. In the post that Scott references I wrote a PowerShell script for running manually after the task sequence is finished to add a domain user to the local admin group of a remote machine. In that post I actually mentioned that I had trouble getting it to work with VBS…even though I was using a Scripting Guys post to try to build the VBS version. I can’t locate the particular Scripting Guys article that I was looking at, but there are several posts related to this from community members at this link.

I did have a VBS that would do this as part of a task sequence that I used at a client earlier this year, however for some reason it stopped working in my demo environment…and I don’t know why. So unfortunately, I don’t have a working VBscript for this that I can share.

Advertisements

October 28, 2009 - Posted by | scripting

1 Comment »

  1. Hi Jarvis,

    Thanks for following up. I actually was able to resolve this issue by using the AD account SID to add to the local group. It’s a little more difficult because now I have to manage all the local admin groups as well as the SIDs, but I have a utility for storing the info in SQL. Then when the task sequence runs, it just pulls the info it needs from there. Here is the code I’m using:

    Set WshShell = CreateObject(“WScript.Shell”)
    Set Fso = CreateObject(“Scripting.FileSystemObject”)
    Set WshNet = CreateObject(“Wscript.network”)

    Set oTaskSequence = CreateObject (“Microsoft.SMS.TSEnvironment”)

    on error resume next

    DomainGroupSID = oTaskSequence(“AdministratorSID”)

    set logfile = fso.createtextfile(“C:\windows\temp\AddAdmin.log”)
    logfile.writeline “AddAdmin.vbs Results”
    logfile.writeline “Executed on ” & now()
    logfile.writeline “Local group to add to: WinNT://” & wshNet.ComputerName & “/Administrators,group”
    logfile.writeline “Admin group to add winnt://” & DomainGroupSID

    set localgroup = GetObject(“WinNT://” & wshNet.ComputerName & “/Administrators,group”)
    set admingroup = GetObject(“WinNT://” & DomainGroupSID)

    localgroup.add admingroup.adspath

    logfile.writeline “Add completed with error code ” & err

    Comment by Scott | October 29, 2009


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s