Tuesday, September 8, 2009

Manage local admins through Active Directory

For a Client we needed a way to grant a user local admin rights to his / her PC/laptop. We could use Group Policy but than we need an GPO per computer, we could use AD Groups, but than we need an AD Group for each computer and maintain that.

For this I came up with the idea to use the Managed By field of a computer object in AD. You enter a username in that field and assign the following script to run at startup through GPO.

Problem solved.....


'==========================================================================
'
' NAME: Managed By to Local Admin
'
' AUTHOR: Bas Steelooper , Steelooper Consulting
' DATE : 18-11-2008
'
' COMMENT: Add the managed by user to the local administrators.
'
'==========================================================================

On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2

dim hostname
dim objGroup

Set wshshell = CreateObject("WScript.Shell")
Set ObjEnv = WshShell.Environment("Process")
hostname = ObjEnv("COMPUTERNAME")

Set objGroup = GetObject("WinNT://./Administrators,group")

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")

objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
"Select Name, ManagedBy from " & _
"'LDAP://DC=code1,DC=emi,DC=philips,DC=com' where objectClass='computer' and name='" & hostname & "'"
objCommand.Properties("Page Size") = 10
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst


Do Until objRecordSet.EOF

Set objUser = GetObject( "LDAP://" & objRecordSet.Fields("ManagedBy") )

username = objUser.sAMAccountName
objGroup.add("WinNT://Code1/"&username&",user")

Set objGroup = Nothing
objRecordSet.MoveNext
Loop


Use it freely if you want. But please post here if you do.

1 comment: