Checking user - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Advanced Scripting » Checking user

Page 1 of 2

1

Topic Options

#67527 - 2002-06-25 02:15 PM Checking user
Praetorian Praetorian Fresh Scripter Registered: 2002-06-25 Posts: 6	Hi all, I've wrote a sort of Big Brother script, the scripts allows and denies Operating Systems on our Domain and more of that stuff.... Now I've got a problem, The users have to log on a domain, I want to check if that user has local admin rights, and I want to check if the Domain Administrator is in the local group Administrators... Is this possible wilth NET or KIX? Help me!
Top

#67528 - 2002-06-25 02:27 PM Re: Checking user
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	You could review List and delete members of local admin group on remote PC's and during logon or Is user part of admnistrators group . You have to be concerned with the users permissions on the client. If they are not adminstrator, I do not believe that they will be able to enmuerate the local adminstrators group. [ 25 June 2002, 14:27: Message edited by: Howard Bullock ] _________________________ Home page: http://www.kixhelp.com/hb/
Top

#67529 - 2002-06-25 03:58 PM Re: Checking user
Praetorian Praetorian Fresh Scripter Registered: 2002-06-25 Posts: 6	Look... I want to check with kix the following: For example our domain is DOM, I want to check if DOM\Administrator is in de local administrator group on that computer... If NOT then ADD... I think this is very hard to script My second target is: For example we've got user BLA DOM\Bla may have local administrator rights... but Bla may have NOT local administrator rights. If he has.. then DELETE and Logoff(1) It's hard to explain you know, I'm a dutch man (I bet I'd get no more replies from of now )
Top

#67530 - 2002-06-25 04:26 PM Re: Checking user
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Praetorian, Howard gave you a couple of very good leads to get you started. If you get no more replies, it is not because you're a Dutchman. Simply restating your objective will not likely help your cause. There needs to be some progression. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#67531 - 2002-06-25 04:40 PM Re: Checking user
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Ok. To make changes to the local Administrators group, the person making the change has to have Administrator permissions. That means: 1) If the user is in the Administrators group, you can easily add the Dom\Administrator account and remove the user account in a Kixtart logon script (as the user). there are code samples in the links I mentioned previously that will get you very close to what you need. In the script I provide in one of the links you simply need to add "$group.Remove(@UserID)" to remove the user account. 2) If the user is not an Administrator, the logon script will not work for you at all unless you can use SU.exe or Runas.exe. In this case, you will ether need to have another DOM\account that has Admin permissions or use the local adminstrator account. If you have access via a Domain account you can use ADSI to target the remote computer or use a Perl Compiled utility AddToAdmin.exe from my Perl Utilities Web Page. If you give the coding a shot, many of will review and point you in right direction. No one likes to write solution for others without compensation but we do like to assist. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#67532 - 2002-06-25 04:43 PM Re: Checking user
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	Hi Dutchie Might try the low-tech approach, not sure if perms will get in the way though ... this might be a piece of the puzzle: BREAK ON $LOCALGROUP = "ADMINISTRATORS" $GLOBALGROUP = "DOM\ADMINISTRATOR" SHELL '%COMSPEC% /C NET LOCALGROUP "$LOCALGROUP" \| FIND /I "$GLOBALGROUP" >NUL 2>NUL' IF @ERROR = 0 ?"$GLOBALGROUP IS A MEMBER OF LOCAL $LOCALGROUP" ELSE ?"$GLOBALGROUP IS NOT A MEMBER OF LOCAL $LOCALGROUP" ENDIF EXIT -Shawn
Top

#67533 - 2002-06-25 05:22 PM Re: Checking user
BrianTX BrianTX Korg Regular Registered: 2002-04-01 Posts: 895	Congratulations on #1000 Howard! As to the current issue at hand... I always liked the Jens way of doing things via task scheduler... This allows you to execute tasks with administrator privilege even though the logged on user does not have admin privileges. Brian
Top

#67534 - 2002-06-25 05:25 PM Re: Checking user
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	A BIG, WELL DESERVED CONGRATS TO YOU HOWARD. Welcome to the Millenium Club, my friend.
Top

#67535 - 2002-06-25 05:58 PM Re: Checking user
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	YES! WELCOME Howard! At the rate you're going it'll be MM in no time! _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#67536 - 2002-06-25 07:06 PM Re: Checking user
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Well thanks guys. At 400 i thought I would never get here. I don't even remember 800. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#67537 - 2002-06-25 07:54 PM Re: Checking user
Praetorian Praetorian Fresh Scripter Registered: 2002-06-25 Posts: 6	LoL @ u guys Everybody was really helpfull!! I really appreciate that! Thanks again! I'm on my way now.
Top

#67538 - 2002-06-26 03:02 AM Re: Checking user
MCA MCA KiX Supporter Registered: 2000-04-28 Posts: 5152 Loc: Netherlands, EU	Dear Howard, Congratulations, again a member getting in one of those wonderful Millenium Clubs. Indeed it is hard to find back "when did I enter mine Xth topic". We enter always a reminder in a fixed unique format to our x00-th item. Up to the next Millenium. greetings. _________________________ email scripting@wanadoo.nl homepage scripting@wanadoo.nl \| Links \| Summary of Site Site KiXforms FAQ kixtart.org library collection mirror MCA \| FAQ & UDF help file UDF kixtart.org library collection mirror MCA \| mirror USA \| mirror europe UDF scriptlogic library collection UDFs \| mirror MCA
Top

#67539 - 2002-06-26 03:13 AM Re: Checking user
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11628 Loc: CA	Congratulation Howard... Wow, some of you guys make it to the club so easily Thanks for all the good posts Howard.
Top

#67540 - 2002-06-26 03:25 PM Re: Checking user
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	not net commands uttleast can do that... so new interface could do that and with rcmd. actually, at is the saver here. copy that script with appropiate usernames to that machine, schedule a job on that target with that script and delete after execution that script. cheers, _________________________ ! download KiXnet
Top

#67541 - 2002-06-26 03:49 PM Re: Checking user
Shawn Shawn Administrator Registered: 1999-08-13 Posts: 8611	Was thinking that this would be a job for any old NT5 workstation, ADSI and the WinNT provider, for example, to enumerate remote objects in the local administrators group on a workstation: break on $WKSTA = "xxxyyy" ; the target machine $ADMINID = "john.doe" ; local or domain\account $ADMINPWD = "password" ; password $LOCALGROUP = "administrators" ; the local group on target machine $root = getobject("WinNT:") $group = $root.opendsobject("WinNT://$WKSTA/$LOCALGROUP","$ADMINID","$ADMINPWD",0) for each $object in $group.members ? $object.adspath next exit 1 Haven't been able to successfull enumerate GLOBAL DOMAIN GROUPS in there yet ... anyone ?
Top

#67542 - 2002-07-02 03:12 PM Re: Checking user
Praetorian Praetorian Fresh Scripter Registered: 2002-06-25 Posts: 6	Hello again! With your help my scripting project is on scheme... But I've got 1 little problem... See my code: code: ? "Checking availability of Domain Administrator account..." SHELL '%COMSPEC% /C NET LOCALGROUP "Administrators" \| FIND /I "RPZ\DomainAdministrator" >NUL 2>NUL' IF @ERROR = 0 ? "Error: RPZ\DomainAdministrator account not available!" logoff(1) ELSE ? "Everything okay!" ENDIF This code is running on the workstations from the netlogon directory on the domain controller... It looks like the checking with the SHELL command is not happening on the workstation, but on the domaincontroller hisselve! This because my workstation has the user RPZ\DomainAdministrator.., and the script IS running! but however... my script is telling me, that user is nog available...
Top

#67543 - 2002-07-02 03:24 PM Re: Checking user
BrianTX BrianTX Korg Regular Registered: 2002-04-01 Posts: 895	If you run that script it won't work because: "domainadministrator" is not a valid account. On my Windows 2000 machine in my domain, you use: code: SHELL '%COMSPEC% /C NET LOCALGROUP "Administrators" \| FIND /I "RPZ\Domain Admins" >NUL 2>NUL' instead of the line you have. If you go to a command prompt on the target machine and check by typing: NET LOCALGROUP "Administrators" If the domain admins group is listed, it will tell you what you need to look for. Personally, I like the ADSI method much better for doing this. (See posts above.) Brian
Top

#67544 - 2002-07-02 03:33 PM Re: Checking user
Praetorian Praetorian Fresh Scripter Registered: 2002-06-25 Posts: 6	ADSI is not the way for me.. If you read my post.. you readed that the script DO work... the only problem is that de SHELL command is executed on the domain controller.. Can somebody tell me how to run the shell command on the workstation? Every workstation here runs the script from the netlogon dir at the domain controller...
Top

#67545 - 2002-07-02 03:51 PM Re: Checking user
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	praetorian, the shell is run everywhere... if the %comspec% is set to DC location it's run there. check it for the user. cheers, _________________________ ! download KiXnet
Top

#67546 - 2002-07-02 04:19 PM Re: Checking user
BrianTX BrianTX Korg Regular Registered: 2002-04-01 Posts: 895	Logon scripts run on the client unless as Lonkero said, the %comspec% points to the DC. As I understand it: Summary: 1. you need to check the client to see if the currently logged on user has local admin rights. 1a. If user doesn't have local admin rights, log them off immediately. 2. You need to check the client to see if the domain administrator has local admin rights. 2a. If domain admin doesn't have local admin rights, add them to local admin group. ------ Comments: 1. As far as I know, domain administrators are granted local admin rights to NT/2000/XP workstations by default. There may be rare exceptions, but for the most part this should hold true. 2. Before coming back to the domain admin question, all you need to do is check to see if the current user is in the local admins group and log them off if they aren't. This is not too difficult. 3. Assuming you check to see if the user is a local admin (as in #2), then you know that they are and you can verify that domain admins are local admins as well, using a similar method to #2. 4. Logon scripts run on the client PCs, not on the server they are being accessed from, except in very RARE cases. Otherwise, drive mappings, setup programs, etc would go to the server instead of the client. Brian
Top

Page 1 of 2

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Who's Online

0 registered and 846 anonymous users online.

Newest Members

StuTheCoder, M_Moore, BeeEm, min_seow, Audio
17884 Registered Users

Generated in 0.05 seconds in which 0.014 seconds were spent on a total of 12 queries. Zlib compression enabled.

click tracking