net localgroup fails but returns exit status 0

[MadDHatteR]

Part of the post workstation installation script adds the domain group
"Local Admins" to the administrators group on the workstation. The command
is:
net localgroup administrators "ourdomain\local admins" /add
It seems to frequently break. We added some error checking; the net
localgroup command exits with error level 0, but fails to successfully
perform the addition to localgroup administrators. This seems to happen with
XP, and (we think) 2k as well.

Has anyone else run into this?
Anyone know how to work around it? Restricted groups are not an option in
this case.
How long does net localgroup wait for a response from the DC when obtaining
the SID of the domain group? If this timed out, what would be the error
level returned?

\\ MadDHatteR

 

[Bill Stewart]

Part of the post workstation installation script adds the domain group
"Local Admins" to the administrators group on the workstation. The
command is:
net localgroup administrators "ourdomain\local admins" /add
It seems to frequently break. We added some error checking; the net
localgroup command exits with error level 0, but fails to successfully
perform the addition to localgroup administrators. This seems to happen
with XP, and (we think) 2k as well.

Has anyone else run into this? Anyone know how to work around it?
Restricted groups are not an option in this case. How long does net
localgroup wait for a response from the DC when obtaining the SID of the
domain group? If this timed out, what would be the error level returned?

(cross-posting removed)

The command will only execute successfully if the account under which it is
run is a member of the local Administrators group.

When does your "post workstation installation script" execute, and under
what account does it run?

Bill

 

[MadDHatteR]

The command will only execute successfully if the account under which it is
run is a member of the local Administrators group.

When does your "post workstation installation script" execute, and under
what account does it run?
Bill

Bill -

The net localgroup command is being run as the administrator account on the
local workstation. Even if it weren't, the error level would be 5: access
denied, not 0.

\\ MadDHatteR

 

[Marty List]

Comments inline...

Part of the post workstation installation script adds the domain group
"Local Admins" to the administrators group on the workstation. The command
is:
net localgroup administrators "ourdomain\local admins" /add
It seems to frequently break. We added some error checking; the net
localgroup command exits with error level 0

How are you checking the result? You should post that in case there's a
problem there.

but fails to successfully perform the addition to localgroup

administrators.

Another possibility is that someone or some process is removing it again.

This seems to happen with XP, and (we think) 2k as well.

Has anyone else run into this?

No, I run the same command once a week on thousands of machines, never seen
it fail but return 0.

Anyone know how to work around it? Restricted groups are not an option in
this case. How long does net localgroup wait for a response from the DC
when obtaining the SID of the domain group? If this timed out, what would be
the error level returned?

You can test this yourself by running the same command with an invalid
domain name.

 

[MadDHatteR]

This is part of a series of scripts launched by cmdlines.txt as part of the
unattended deployment. It's after Windows finishes installing and reboots
(and yes, after the computer has already joined the domain). The local
administrator is auto-logged in, and this runs from the RunOnce registry
key...


(e-mail address removed)... cute

How are you checking the result? You should post that in case there's a
problem there.

If you think it will help, here's the code:
rem *** Add local admins group
:retry-la
echo Adding local admins to admin group. >> c:\deployment.log
sleep 5
net localgroup administrators "ourdomain\local admins" /add
set error=%ERRORLEVEL%
echo Error Level was %error% >> c:\deployment.log
if not "%error%"=="0" goto retry-la

If the local admins aren't added to the workstation administrators group,
the script should loop infinitely, but that isn't happening. Results from
deployment.log say the errorlevel is 0. If we sit and watch the command, it
reports "command completed successfully". If we do a 'net localgroup
administrators' just after this, the only members are Administrator and
Domain Admins.

Another possibility is that someone or some process is removing it again.

This we know isn't happening because we sit in front of the box while this
runs and watch it happen. We can check the administrators group membership
just after it runs, and "local admins" aren't there.

You can test this yourself by running the same command with an invalid
domain name.

When I try this with an invalid domain, it responds very quickly, which
prompted my question. We seem to have a higher frequency of failure with the
net localgroup command on slower parts of the network. (Slower is relative
here, our entire network is 100M with 1G interconnects.)

I suspect the response is so quick because the computer receives a negative
response from the GC/DNS, rather than only waiting that small amount of
time. If someone knows the innards of the 'net' command, that might help our
troubleshooting.

Thanks,
\\ MadDHatteR

 

[Jerold Schulman]

I can't explain the errorlevel, but what happens if you change the sllep 5 to a
sleep 30?

This is part of a series of scripts launched by cmdlines.txt as part of the
unattended deployment. It's after Windows finishes installing and reboots
(and yes, after the computer has already joined the domain). The local
administrator is auto-logged in, and this runs from the RunOnce registry
key...


(e-mail address removed)... cute


If you think it will help, here's the code:
rem *** Add local admins group
:retry-la
echo Adding local admins to admin group. >> c:\deployment.log
sleep 5
net localgroup administrators "ourdomain\local admins" /add
set error=%ERRORLEVEL%
echo Error Level was %error% >> c:\deployment.log
if not "%error%"=="0" goto retry-la

If the local admins aren't added to the workstation administrators group,
the script should loop infinitely, but that isn't happening. Results from
deployment.log say the errorlevel is 0. If we sit and watch the command, it
reports "command completed successfully". If we do a 'net localgroup
administrators' just after this, the only members are Administrator and
Domain Admins.


This we know isn't happening because we sit in front of the box while this
runs and watch it happen. We can check the administrators group membership
just after it runs, and "local admins" aren't there.


When I try this with an invalid domain, it responds very quickly, which
prompted my question. We seem to have a higher frequency of failure with the
net localgroup command on slower parts of the network. (Slower is relative
here, our entire network is 100M with 1G interconnects.)

I suspect the response is so quick because the computer receives a negative
response from the GC/DNS, rather than only waiting that small amount of
time. If someone knows the innards of the 'net' command, that might help our
troubleshooting.

Thanks,
\\ MadDHatteR

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

 

[Bill Stewart]

The net localgroup command is being run as the administrator account on
the local workstation. Even if it weren't, the error level would be 5:
access denied, not 0.

Presumably, then, the machine is a domain member when this command gets
executed; is RestrictAnonymous enabled on your domain controller(s)?

Bill

 

[Mark V]

This is part of a series of scripts launched by cmdlines.txt as
part of the unattended deployment. It's after Windows finishes
installing and reboots (and yes, after the computer has already
joined the domain). The local administrator is auto-logged in, and
this runs from the RunOnce registry key...


(e-mail address removed)... cute


If you think it will help, here's the code:
rem *** Add local admins group
:retry-la
echo Adding local admins to admin group. >> c:\deployment.log
sleep 5
net localgroup administrators "ourdomain\local admins" /add
set error=%ERRORLEVEL%
echo Error Level was %error% >> c:\deployment.log
if not "%error%"=="0" goto retry-la

If the local admins aren't added to the workstation administrators
group, the script should loop infinitely, but that isn't
happening. Results from deployment.log say the errorlevel is 0. If
we sit and watch the command, it reports "command completed
successfully". If we do a 'net localgroup administrators' just
after this, the only members are Administrator and Domain Admins.


This we know isn't happening because we sit in front of the box
while this runs and watch it happen. We can check the
administrators group membership just after it runs, and "local
admins" aren't there.


When I try this with an invalid domain, it responds very quickly,
which prompted my question. We seem to have a higher frequency of
failure with the net localgroup command on slower parts of the
network. (Slower is relative here, our entire network is 100M with
1G interconnects.)

I suspect the response is so quick because the computer receives a
negative response from the GC/DNS, rather than only waiting that
small amount of time. If someone knows the innards of the 'net'
command, that might help our troubleshooting.

Pure "what if", but what if you add a line to "wakeup" the connection
before the call. Say
...
net group "local admins"
net localgroup administrators "ourdomain\local admins" /add
...
?

 

[Marty List]

Pure "what if", but what if you add a line to "wakeup" the connection
before the call. Say
...
net group "local admins"
net localgroup administrators "ourdomain\local admins" /add
...
?

More specifically that would be:
net group "local admins" /domain>nul