Adding a Global Group to a Local Group on a List of Machines
Digg
DZone
Reddit
Slashdot
StumbleUpon
del.icio.us
Facebook
FriendFeed
Furl
by John Loomes
This useful VBScript is very handy in making
security changes across your enterprise. It takes as input a text
file containing names of machines. It then asks for a Local Group
name and a Global Group name. The script then makes the Global Group
you specified a member of the specified Local Group on each machine
in the list. The results are written to a log file which again, you
can specify.
An example of a use for this script would be if you need to grant local admin rights to a group on a number of machines in your domain, but do not wish to grant Domain Admin rights to the group.
You could easily modify this script to use ADSI to pull the machine list directly from your NT Account database or Windows 2000 Active Directory. See my article on ADSI for examples of how to do this.
As usual, take care if you experiment with this script, or you could end up making changes you don't really want to make!
' Don't halt on runtime errors
On Error Resume Next
' Initialize variables
Dim strServerName(1000) 'This array will hold 1000 machines, increase as necessary
Dim ErrMsg
Dim StrGroupToAdd
Dim strServer
Dim Result
Dim strInputFile
Dim LogFile
Dim strLocalGroup
' Create a new file system object
Set objFS = CreateObject("Scripting.FileSystemObject")
' Get Name of Input File and Check to see if its valid
strInputFile = InputBox("Enter name of file containing machines to modify (Including full path)",,"ServersTxt")
Set ServerList = objFS.OpenTextFile (strInputFile)
If strInputFile = "" Then
MsgBox ("Operation Cancelled, no input file supplied")
Wscript.Quit(1)
ElseIf Err Then
ErrMsg = AdsiErr(strInputFile)
MsgBox ("Error: "& ErrMsg)
Wscript.Quit(1)
End if
' Get Name of Log File and Check to see if its valid and Writable
LogFile = InputBox("Enter name of Log File (Including full path)",," log.txt")
If LogFile = "" Then
MsgBox ("Operation Cancelled, no log file supplied")
Wscript.Quit(1)
End if
ErrMsg = "Logging Started"
Result = WriteLog(,LogFile,ErrMsg)
If Err Then
ErrMsg = AdsiErr(LogFile)
MsgBox ("Error: " & ErrMsg)
Wscript.Quit(1)
End if
' Get Name of Group to Modify and Check to see if its valid
strLocalGroup = InputBox("Enter Name of LOCAL group to modify on each machine",,"Administrators")
If strLocalGroup = "" Then
MsgBox ("No Local Group Selected, Operation Cancelled")
Wscript.Quit(1)
End If
' Get name of group to add and check to see if its valid
strGroupToAdd = InputBox("Enter DOMAIN Global Group to add to local Admins group",,"Global
If StrGroupToAdd <> "" Then
Set objGroup = GetObject("WinNT://DOMAIN" & "/" & strGroupToAdd)
If Err Then
ErrMsg = AdsiErr(strGroupToAdd)
MsgBox ("Group " & strGroupToAdd & " Cannot be found")
Wscript.Quit(1)
End If
Else
MsgBox ("No Group Selected, Operation Cancelled")
Wscript.Quit(1)
End if
' Parse Input File
' Add Global Group to local group on each machine in list
do while ServerList.AtEndOfStream <> True
strServerName(xCounter) = ServerList.ReadLine
If not Isblank(strServerName(xCounter)) then
StrServer = StrServerName(xCounter)
' Add Group to Local group on each machine in list
Result = AddAccount(strServer,StrGroupToAdd,strLocalGroup)
' If not successfully then try to find out why
If Err Then
ErrMsg = AdsiErr(strServerName(xCounter))
else
ErrMsg = strServerName(xCounter) & " has been updated successfully"
end if
' Write results to the log
Result = WriteLog(strServerName(xCounter),LogFile,ErrMsg)
xCounter = xCounter + 1
End if
Err = ""
loop
' When Finished, Time Stamp Log and Quit
If StrGroupToAdd <> "" Then
ErrMsg = "Operation Completed"
Result = WriteLog(,LogFile,ErrMsg)
MsgBox ("Completed: View results in log: " & LogFile)
Else
MsgBox ("Cancelled: No Changes Made.")
End if
Set objFS = Nothing
Set objGroup = Nothing
' ***********************
' Functions and Subs here
' ***********************
' Trims leading and trailing spaces
Function IsBlank(strInput)
IsBlank = not CBool(Len(trim(strInput)))
End Function
' Adds Global Group from domain to local group machine
Function AddAccount(ServerName,GroupName,szLocalGroup)
Set objGroup = GetObject("WinNT://" & ServerName & "/" & szLocalGroup)
objGroup.Add ("WinNT://DOMAIN" & "/" & GroupName)
Set objGroup = Nothing
End Function
' Log Results
Function WriteLog(ServerName,strLogFile,strMsg)
Dim strTextStream
Set strTextStream = objFS.OpenTextFile(strLogFile, 8, true)
strTextStream.WriteLine(strMsg)
strTextStream.WriteLine("Time: " & Time)
strTextStream.WriteLine("Date: " & Date)
strTextStream.WriteLine("----------------------------------------")
strTextStream.Close
End Function
' Attempt to Trap Errors and return a message to the log
' If Error is Fatal or Unknown then Quit
Function AdsiErr(ServerName)
Dim e
If Err.Number = &H80070562 Then
AdsiErr = ServerName & " has already been updated."
ElseIf Err.Number = &H80070005 Then
AdsiErr = "Access Denied to " & ServerName
ElseIf Err.Number = &H1A8 Then
AdsiErr = "Couldnt Connect to " & ServerName
ElseIf Err.Number = &H800708B2 Then
AdsiErr = ServerName & " is a Domain Controller, cant update"
ElseIf Err.Number = &H8007056B Then
AdsiErr = "Group " & ServerName & " Doesnt Exist"
ElseIf Err.Number = 53 Then
AdsiErr = "File " & ServerName & " Doesnt Exist"
ElseIf Err.Number = 70 Then
AdsiErr = "Cant Write to " & ServerName
MsgBox AdsiErr
Wscript.Quit(1)
Else
' If error isnt one we expect, flag this up in a box
e = Hex(Err.Number)
AdsiErr = "Unexpected Error on " & ServerName
Msgbox (AdsiErr & " :" & Err.Number)
End If
End Function
