Addin domain users to local security groups

[Pulathan Senyucel]

I wrote a logon vbscrip for adding some domain users to
local administrator group and the logged on domain user to
local power user group as belowe. The server is w2k server
and active directory is installed. The problem is the
group policy logon script returns me "General access
denied error" if the domain user is not a power user or a
local administrator who logged on to the computer. Is
there any one that can help me...

on error resume next
Set objNet = CreateObject("WScript.NetWork")
Dim strComputer
Dim strUser
strComputer = objNet.ComputerName
strUser = objNet.UserName

' Adds Admin1 user to local administrator group
Set objGroup = GetObject("WinNT://" & strComputer
& "/Administrators,group")
Set objUser = GetObject("WinNT://Domain/Admin1,user")
objGroup.Add(objUser.ADsPath)

' Adds Admin2 user to local administrator group
Set objGroup = GetObject("WinNT://" & strComputer
& "/Administrators,group")
Set objUser = GetObject("WinNT://Domain/Admin2,user")
objGroup.Add(objUser.ADsPath)

'Adds Logged on user to local power user group
Set objGroup = GetObject("WinNT://" & strComputer
& "/Power Users,group")
Set objUser = GetObject("WinNT://Domain/"& strUser
& ",user")
objGroup.Add(objUser.ADsPath)

If Err <> 0 Then
IF err.number= "-2147023518" then ' Object already exist
err.clear
else
Wscript.Echo Err.Number & " -- " & Err.Description & "//
AdUser.vbs"
Err.Clear
end if
End If

This script works if the logged on domain user is local
admin or local power user.
Thanks in advance

 

[Matjaz Ladava [MVP]]

This is because the script runs under user context. Better than script, try
to investigate into Restricted Groups Group Policy setting. It is located in
Computer Configuration/Windows Settings/Security Settings
It basically prescribes local Group membership on the computers to which
this GPO applies.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com