Adding a Domain Account to a local security group

Windows Scripting Host is a very powerful tool that allows you to use simple Visual Basic code syntax to change or customise settings of a computer.  This script will allow you to use Window Active Directory Group Policy to add a domain user account or group to a local security group of a Windows 2000/XP computer.

There are plenty of script examples around that will do this sort of thing, you can find many of them at http://cwashington.netreach.net.

I once wrote a script that would make a network security group a member of the local power users group for SIMS and FMS to work on network machines.  This was over 3 years ago and I have since lost the script and haven’t visited the school in such a long time.

However, after wanting to do a similar thing, I found a very useful script that done exactly the same thing and that would save me re-inventing the wheel.

 
Set objNetwork = WScript.CreateObject("WScript.Network")
Set objGroup = GetObject("WinNT://" & objNetwork.ComputerName & "/Users,group")
For Each strArgument in Wscript.Arguments
     x = InStr(strArgument,"")
     if X>0 Then
          Domain_Name = Left(strArgument,x-1)
          Admin_Name = Right(strArgument,Len(strArgument)-x)
          DNPath = "WinNT://" & Domain_Name & "/" & Admin_Name
          On Error Resume Next
          If Not objGroup.IsMember(DNPath) Then objGroup.Add(DNPath)
          ON Error Goto 0
          End If
     Next
Set objGroup = Nothing
set objNetwork = Nothing

The above code will take a single parameter "<DOMAIN><GROUP>" It will then add the user to the local group.  In this case it will add to the Users group.  To allow the script to add to other groups like Power Users or Administrators, simply change the second line "/Users" to "/Power Users" etc.

Save the script into a Group Policy Object and then call the script with a user name or group name as the parameter

If you already know the Network group that you want to use and would rather hard code the script, you can use this script.  Again, simply change the "/Users" to the name of the local group.  Also set the NetBios Domain Name and the group name as needed.

Set objNetwork = WScript.CreateObject("WScript.Network")
Set objGroup = GetObject("WinNT://" & objNetwork.ComputerName & "/Users,group")
     Domain_Name = "DOMAIN"
    UserGroup_Name = "GROUP"
     DNPath = "WinNT://" & Domain_Name & "/" & UserGroup_Name
     On Error Resume Next
     If Not objGroup.IsMember(DNPath) Then objGroup.Add(DNPath)
      ON Error Goto 0
     End If



Set objGroup = Nothing
set objNetwork = Nothing

Posted in Scripting.