March 2012 ~ LazyExchangeAdmin

These two little people at work asked me if I could help them with this script to automatically add a domain user or group to the local administrators group. Just thinking about how they've been trying to do it for weeks already with no success was enough challenge for me; so without really thinking if it would fit in my workload, I agreed to help these little guys.

The assumptions:

Script will run during computer startup.
GPO will be applied to specific computers

I whipped up this script and added it to the Computer Startup section. After testing and verifying that it worked, they suddenly changed their minds.

New requirements:

GPO will NOT be restrictive to any specific computer but;
GPO will NOT be applied to ALL computers. (Should only be applied to a computer if the member user logged on to it)

So I didn't have a choice but to implement the GPO on User Logon which posed another challenge; user logon scripts run under the credentials of the user who logged on.. and if the user don't have local administrator privileges the script will just fail with "access denied" error.

Hitting that wall, the obvious workaround was to use impersonation inside the script which means using an account that have Domain Admin privilege to run the WMI code in the script. That however, is a very bad idea because doing that requires to have the username and password incorporated in the code, the code which is in plain text.

So the new challenge now:

Run the Logon Script with Domain Admin privileges.
The end-product of the code must NOT be in plain-readable-text to protect the account from being compromised.

Encrypting the VBS to VBE is not a very considerable option. Why? Because ever since I started learning VBS, I have decrypted lots of VBE's so that I can study them.. and the Decryption mechanism is always the same.

The only way to go for me is to compile the vbScript into an EXE binary.
This is where PrimalScript came in handy.

THE CODE

'==========================================================================
'
' NAME: AddToLocal.vbs
'
' AUTHOR: June Castillote, june.castillote@gmail.com
' DATE : 3/22/2012
'
' USAGE: AddToLocal.vbs [Domain Group/User] [Local Group]
'
'==========================================================================
Set objArgs = WScript.Arguments

If objArgs.Length=0 Then WScript.Quit '<--------- font="font" if="if" not="not" run="run" script="script" size="2" will="will">no arguments specific

Const strComputer = "."
Dim objNetwork, objGroup, objUser, strUsername, strGroupName
Set objNetwork = WScript.CreateObject("WScript.Network")
strGroupName = CStr(objArgs(0))
Set objGroup = GetObject("WinNT://" & strComputer & "/" & cstr(objArgs(1)))
Set objUser = GetObject("WinNT://" & strGroupName)
If (objGroup.IsMember(objUser.ADsPath) = False) Then
    objGroup.Add(objUser.ADsPath)
    MsgBox    "Your account/group " & CStr(objArgs(0)) & " has been added to the Local " & cstr(objArgs(1)) & " Group. Please logout and log back in for the privileges to take effect"
Else
    MsgBox    "Your account/group " & CStr(objArgs(0)) & " is already a member of the Local " & cstr(objArgs(1)) & " Group. No further actions needed."
End If
'==========================================================================

COMPILE USING PRIMALSCRIPT

Enter the account that is already a member of the Local Administrator (usually a domain admin account) the the script will use as "Run As" credential

APPLY TO GPO

You should know how to do that!

OUTPUT

If the user logged in on that computer is not a member of the local group yet, the script will trigger and will see the message box below.

If the Account/Group is already added to the local group, the message box below will appear.

PrimalScript is a commercial software however, if you do not want to use this option of compiling to EXE, you can just modify the script to include the Username and Password in the WMI string - which exposes your the credentials in plain text.