Tuesday, September 8, 2009

Manage local admins through Active Directory

For a Client we needed a way to grant a user local admin rights to his / her PC/laptop. We could use Group Policy but than we need an GPO per computer, we could use AD Groups, but than we need an AD Group for each computer and maintain that.

For this I came up with the idea to use the Managed By field of a computer object in AD. You enter a username in that field and assign the following script to run at startup through GPO.

Problem solved.....

' NAME: Managed By to Local Admin
' AUTHOR: Bas Steelooper , Steelooper Consulting
' DATE : 18-11-2008
' COMMENT: Add the managed by user to the local administrators.

On Error Resume Next

dim hostname
dim objGroup

Set wshshell = CreateObject("WScript.Shell")
Set ObjEnv = WshShell.Environment("Process")
hostname = ObjEnv("COMPUTERNAME")

Set objGroup = GetObject("WinNT://./Administrators,group")

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")

objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
"Select Name, ManagedBy from " & _
"'LDAP://DC=code1,DC=emi,DC=philips,DC=com' where objectClass='computer' and name='" & hostname & "'"
objCommand.Properties("Page Size") = 10
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF

Set objUser = GetObject( "LDAP://" & objRecordSet.Fields("ManagedBy") )

username = objUser.sAMAccountName

Set objGroup = Nothing

Use it freely if you want. But please post here if you do.

1 comment: