The assumptions:
- Script will run during computer startup.
- GPO will be applied to specific computers
New requirements:
- GPO will NOT be restrictive to any specific computer but;
- GPO will NOT be applied to ALL computers. (Should only be applied to a computer if the member user logged on to it)
Hitting that wall, the obvious workaround was to use impersonation inside the script which means using an account that have Domain Admin privilege to run the WMI code in the script. That however, is a very bad idea because doing that requires to have the username and password incorporated in the code, the code which is in plain text.
So the new challenge now:
- Run the Logon Script with Domain Admin privileges.
- The end-product of the code must NOT be in plain-readable-text to protect the account from being compromised.
The only way to go for me is to compile the vbScript into an EXE binary.
This is where PrimalScript came in handy.
THE CODE
'==========================================================================
'
' NAME: AddToLocal.vbs
'
' AUTHOR: June Castillote, june.castillote@gmail.com
' DATE : 3/22/2012
'
' USAGE: AddToLocal.vbs [Domain Group/User] [Local Group]
'
'==========================================================================
Set objArgs = WScript.Arguments
If objArgs.Length=0 Then WScript.Quit '<--------- font="font" if="if" not="not" run="run" script="script" size="2" will="will">no arguments specific--------->
Const strComputer = "."
Dim objNetwork, objGroup, objUser, strUsername, strGroupName
Set objNetwork = WScript.CreateObject("WScript.Network")
strGroupName = CStr(objArgs(0))
Set objGroup = GetObject("WinNT://" & strComputer & "/" & cstr(objArgs(1)))
Set objUser = GetObject("WinNT://" & strGroupName)
If (objGroup.IsMember(objUser.ADsPath) = False) Then
objGroup.Add(objUser.ADsPath)
MsgBox "Your account/group " & CStr(objArgs(0)) & " has been added to the Local " & cstr(objArgs(1)) & " Group. Please logout and log back in for the privileges to take effect"
Else
MsgBox "Your account/group " & CStr(objArgs(0)) & " is already a member of the Local " & cstr(objArgs(1)) & " Group. No further actions needed."
End If
'==========================================================================
COMPILE USING PRIMALSCRIPT
Enter the account that is already a member of the Local Administrator (usually a domain admin account) the the script will use as "Run As" credential
APPLY TO GPO
You should know how to do that!
OUTPUT
If the user logged in on that computer is not a member of the local group yet,
the script will trigger and will see the message box below.
If the Account/Group is already added to the local group,
the message box below will appear.
PrimalScript is a commercial software however, if you do not want to use this option of compiling to EXE, you can just modify the script to include the Username and Password in the WMI string - which exposes your the credentials in plain text.
 
 

 
 

 
  
  





 
 
No comments:
Post a Comment