Adding a Global Group to a Local Group on a List of Machines

by John Loomes

This useful VBScript is very handy in making security changes across your enterprise. It takes as input a text file containing names of machines. It then asks for a Local Group name and a Global Group name. The script then makes the Global Group you specified a member of the specified Local Group on each machine in the list. The results are written to a log file which again, you can specify.

This useful VBScript is very handy in making security changes across your enterprise...

An example of a use for this script would be if you need to grant local admin rights to a group on a number of machines in your domain, but do not wish to grant Domain Admin rights to the group.

You could easily modify this script to use ADSI to pull the machine list directly from your NT Account database or Windows 2000 Active Directory. See my article on ADSI for examples of how to do this.

As usual, take care if you experiment with this script, or you could end up making changes you don't really want to make!

' Don't halt on runtime errors

On Error Resume Next

' Initialize variables

Dim strServerName(1000) 'This array will hold 1000 machines, increase as necessary

Dim ErrMsg

Dim StrGroupToAdd

Dim strServer

Dim Result

Dim strInputFile

Dim LogFile

Dim strLocalGroup

' Create a new file system object

Set objFS = CreateObject("Scripting.FileSystemObject")

' Get Name of Input File and Check to see if its valid

strInputFile = InputBox("Enter name of file containing machines to modify (Including full path)",,"ServersTxt")

Set ServerList = objFS.OpenTextFile (strInputFile)

If strInputFile = "" Then

MsgBox ("Operation Cancelled, no input file supplied")


ElseIf Err Then

ErrMsg = AdsiErr(strInputFile)

MsgBox ("Error: "& ErrMsg)


End if

' Get Name of Log File and Check to see if its valid and Writable

LogFile = InputBox("Enter name of Log File (Including full path)",," log.txt")

If LogFile = "" Then

MsgBox ("Operation Cancelled, no log file supplied")


End if

ErrMsg = "Logging Started"

Result = WriteLog(,LogFile,ErrMsg)

If Err Then

ErrMsg = AdsiErr(LogFile)

MsgBox ("Error: " & ErrMsg)


End if

' Get Name of Group to Modify and Check to see if its valid

strLocalGroup = InputBox("Enter Name of LOCAL group to modify on each machine",,"Administrators")

If strLocalGroup = "" Then

MsgBox ("No Local Group Selected, Operation Cancelled")


End If

' Get name of group to add and check to see if its valid

strGroupToAdd = InputBox("Enter DOMAIN Global Group to add to local Admins group",,"Global

If StrGroupToAdd <> "" Then

Set objGroup = GetObject("WinNT://DOMAIN" & "/" & strGroupToAdd)

If Err Then

ErrMsg = AdsiErr(strGroupToAdd)

MsgBox ("Group " & strGroupToAdd & " Cannot be found")


End If


MsgBox ("No Group Selected, Operation Cancelled")


End if

' Parse Input File

' Add Global Group to local group on each machine in list

do while ServerList.AtEndOfStream <> True

strServerName(xCounter) = ServerList.ReadLine

If not Isblank(strServerName(xCounter)) then

StrServer = StrServerName(xCounter)

' Add Group to Local group on each machine in list

Result = AddAccount(strServer,StrGroupToAdd,strLocalGroup)

' If not successfully then try to find out why

If Err Then

ErrMsg = AdsiErr(strServerName(xCounter))


ErrMsg = strServerName(xCounter) & " has been updated successfully"

end if

' Write results to the log

Result = WriteLog(strServerName(xCounter),LogFile,ErrMsg)

xCounter = xCounter + 1

End if

Err = ""



' When Finished, Time Stamp Log and Quit

If StrGroupToAdd <> "" Then

ErrMsg = "Operation Completed"

Result = WriteLog(,LogFile,ErrMsg)

MsgBox ("Completed: View results in log: " & LogFile)


MsgBox ("Cancelled: No Changes Made.")

End if

Set objFS = Nothing

Set objGroup = Nothing



' ***********************

' Functions and Subs here

' ***********************

' Trims leading and trailing spaces

Function IsBlank(strInput)

IsBlank = not CBool(Len(trim(strInput)))

End Function


' Adds Global Group from domain to local group machine

Function AddAccount(ServerName,GroupName,szLocalGroup)

Set objGroup = GetObject("WinNT://" & ServerName & "/" & szLocalGroup)

objGroup.Add ("WinNT://DOMAIN" & "/" & GroupName)

Set objGroup = Nothing

End Function


' Log Results

Function WriteLog(ServerName,strLogFile,strMsg)

Dim strTextStream

Set strTextStream = objFS.OpenTextFile(strLogFile, 8, true)


strTextStream.WriteLine("Time: " & Time)

strTextStream.WriteLine("Date: " & Date)



End Function


' Attempt to Trap Errors and return a message to the log

' If Error is Fatal or Unknown then Quit

Function AdsiErr(ServerName)

Dim e

If Err.Number = &H80070562 Then

AdsiErr = ServerName & " has already been updated."

ElseIf Err.Number = &H80070005 Then

AdsiErr = "Access Denied to " & ServerName

ElseIf Err.Number = &H1A8 Then

AdsiErr = "Couldnt Connect to " & ServerName

ElseIf Err.Number = &H800708B2 Then

AdsiErr = ServerName & " is a Domain Controller, cant update"

ElseIf Err.Number = &H8007056B Then

AdsiErr = "Group " & ServerName & " Doesnt Exist"

ElseIf Err.Number = 53 Then

AdsiErr = "File " & ServerName & " Doesnt Exist"

ElseIf Err.Number = 70 Then

AdsiErr = "Cant Write to " & ServerName

MsgBox AdsiErr



' If error isnt one we expect, flag this up in a box

e = Hex(Err.Number)

AdsiErr = "Unexpected Error on " & ServerName

Msgbox (AdsiErr & " :" & Err.Number)

End If

End Function

This article was originally published on Apr 6, 2000
Page 1 of 1

Thanks for your registration, follow us on our social networks to keep up-to-date