Solved assistance required to create check script

July 26, 2011 at 06:41:13
Specs: Windows XP
Hi I need help with creating a vbscript to check the local admin groups on PCs. If the group/user isn't in the text file (containing the default local admin groups) that the script is read from, delete it (thus removing the group's/user's local admin right).

Here is an example i've found on the net (Add an AD group to the local administrators group of all computers in an OU - i want to delete rather than add):

On error resume next
if WScript.Arguments.Count <> 2 then
wscript.echo "usage : cscript add-admin.vbs <filename> <group>"
wscript.echo
wscript.echo vbTab & "where <filename> refers to the path/file with a list of hostnames"
wscript.echo vbTab & " <group> refers to the AD group being added to the local admin group"
wscript.quit
else
strFileName = Wscript.Arguments(0)
strGroup = Wscript.Arguments(1)
end if

Set WshNetwork = WScript.CreateObject("WScript.Network")
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")

If objFSO.FileExists(strFileName) Then
Set objInputFile = objFSO.OpenTextFile(strFileName)
Do While Not (objInputFile.atEndOfStream)
x=0
strComputer = objInputFile.Readline
strCommand = "%comspec% /c ping -n 1 -w 100 " & strComputer & ""
Set objExecObject = objShell.Exec(strCommand)

Do While Not objExecObject.StdOut.AtEndOfStream
strText = objExecObject.StdOut.ReadAll()
If Instr(strText, "Reply") > 0 Then 'Online
Set objAdmins = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser in objGroup.Members
If Instr(UCase(objUser.Name),UCase(strGroup)) then
Wscript.Echo strGroup & " is already a local admin of " & strComputer & "..."
x=x+1
Exit for
End if
Next
If x=0 then 'not in local admin group
Wscript.Echo "Adding " & strGroup & " to the local admin group of " & strComputer & "..."
Set objGroup = GetObject("WinNT://ap/" & strGroup)
objAdmins.Add(objGroup.ADsPath)
End if
Else 'Offline
Wscript.Echo strComputer & vbTab & "OFFLINE."
End If
Loop
Loop
objLogFile.Close
Wscript.Quit
Else
Wscript.Echo "The file " & strFileName & " does not exist."
Wscript.Quit
End If

I think this is a little clunky as I don't want any user input - fully automated preferred.
I'd also like to output to a text file the names of the groups/users that where removed from the local admin group of each PC.


See More: assistance required to create check script

Report •

✔ Best Answer
August 1, 2011 at 10:39:19
Option Explicit
Const PCList = "someFile.txt"
Const userList = "someOtherFile.txt"
Dim computer, group, user, fso, outFile, allowed
Set fso = CreateObject("Scripting.FileSystemObject")
Set allowed = CreateObject("Scripting.Dictionary")

'Build allowed user list
With fso.OpenTextFile(userList)
  Do Until .AtEndOfStream
    user = LCase(Trim(.ReadLine))
    If Len(user) > 0 Then _
      allowed(user) = True
  Loop
End With

Set outFile = fso.OpenTextFile("log.csv", 2, True)
'Perform audit
'Rule: Don't abuse loose typing (like I am).
With fso.OpenTextFile(PCList)
  Do Until .AtEndOfStream
    computer = Trim(.ReadLine)
    If Len(computer) > 0 Then
      Set group = GetObject("WinNT://" & computer & "/Administrators,group")
      For Each user In group.members
        If Not allowed(LCase(user.name)) Then
          outFile.WriteLine computer & "," & user.name
          group.remove user.adspath
        End If
      Next
    End If
  Loop
End With
msgbox "Removed non-standard local admins"

How To Ask Questions The Smart Way



#1
July 27, 2011 at 02:52:03
The following below does more or less what i want, but i need help with iterating through a text file containing the hostnames that i'd like the script to pass through...

'Remove ALL users except the default administrator account, domain admin and pseudo admin groups.

'See the following script

'=========================================================================
Option Explicit

Dim network, group, user
Set network = CreateObject("WScript.Network")
Set group = GetObject("WinNT://" & network.ComputerName & "/Administrators,group")
For Each user In group.members
If UCase(user.name) <> "ADMINISTRATOR" And UCase(user.name) <> "DOMAIN ADMINS" And UCase(user.name) <> "EQR_LDN_PER_UKEQ_PSEUDOADMIN" Then
group.remove user.adspath
End If
Next
msgbox "Removed non-standard local admins"


Report •

#2
July 27, 2011 at 03:40:00
Untested and it lacks error handling, but this should get you started:
Option Explicit
Const fileName = "someFile.txt"
Dim computer, group, user
With CreateObject("Scripting.FileSystemObject").OpenTextFile(fileName)
  Do Until .AtEndOfStream
    computer = Trim(.ReadLine)
    If Len(computer) > 0 Then
      Set group = GetObject("WinNT://" & computer & "/Administrators,group")
      For Each user In group.members
        If UCase(user.name) <> "ADMINISTRATOR" And UCase(user.name) <> "DOMAIN ADMINS" And UCase(user.name) <> "EQR_LDN_PER_UKEQ_PSEUDOADMIN" Then
          group.remove user.adspath
        End If
      Next
    End If
  Loop
End With
msgbox "Removed non-standard local admins"

How To Ask Questions The Smart Way


Report •

#3
July 27, 2011 at 03:46:37
Thanks Razor, as always your da man!
I'll go through this as see if it all checks out.
By the way, how would i add some error logging? I want to add the name of the group that was removed along with the hostname that it was removed from?
Thanks

Report •

Related Solutions

#4
July 27, 2011 at 04:55:43
Sorry I meant logging - want to output the groups/user that were removed from the local admin group into a text file...

Report •

#5
July 28, 2011 at 06:05:18
Option Explicit
Const fileName = "someFile.txt"
Dim computer, group, user, fso, outFile 
Set fso = CreateObject("Scripting.FileSystemObject")
Set outFile = fso.OpenTextFile("log.csv", 2, True)
With .OpenTextFile(fileName)
  Do Until .AtEndOfStream
    computer = Trim(.ReadLine)
    If Len(computer) > 0 Then
      Set group = GetObject("WinNT://" & computer & "/Administrators,group")
      For Each user In group.members
        If UCase(user.name) <> "ADMINISTRATOR" And UCase(user.name) <> "DOMAIN ADMINS" And UCase(user.name) <> "EQR_LDN_PER_UKEQ_PSEUDOADMIN" Then
          outFile.WriteLine computer & "," & user.name
          group.remove user.adspath
        End If
      Next
    End If
  Loop
End With
msgbox "Removed non-standard local admins"

How To Ask Questions The Smart Way


Report •

#6
July 28, 2011 at 23:21:02
Thanks again razor - pure genius

Report •

#7
July 29, 2011 at 00:32:36
I've just ran the script (changing path of input file to MAchineList.txt)

Option Explicit
Const fileName = "C:\Documents and Settings\cl37985\Desktop\MachineList.txt"
Dim computer, group, user, fso, outFile
Set fso = CreateObject("Scripting.FileSystemObject")
Set outFile = fso.OpenTextFile("log.csv", 2, True)
With .OpenTextFile(fileName)
...

For some reason it errors out (debugger says there's a problem with the line beggining with the 'With' command), is there a line missing?


Report •

#8
July 29, 2011 at 03:43:51
Sorry about that; lazy editing on my part.
With fso.OpenTextFile(fileName)

How To Ask Questions The Smart Way


Report •

#9
July 29, 2011 at 03:49:09
Lovely - all working now. Thank you

Report •

#10
July 29, 2011 at 04:10:35
one last thing razor, would i be possible to add a just say - exclusionlist.txt file it which the script iterates through so that it ignores certain users/groups? I'm saying this as i don't want people messing about with the code itself, users can manage the excluded list by only editing this file

Report •

#11
July 29, 2011 at 13:30:16
Any other changes you want to squeze in?

How To Ask Questions The Smart Way


Report •

#12
August 1, 2011 at 01:05:20
nope - thats pretty much it. I'm looking to test this with a small number of PCs before rolling this out... Thanks

Report •

#13
August 1, 2011 at 10:39:19
✔ Best Answer
Option Explicit
Const PCList = "someFile.txt"
Const userList = "someOtherFile.txt"
Dim computer, group, user, fso, outFile, allowed
Set fso = CreateObject("Scripting.FileSystemObject")
Set allowed = CreateObject("Scripting.Dictionary")

'Build allowed user list
With fso.OpenTextFile(userList)
  Do Until .AtEndOfStream
    user = LCase(Trim(.ReadLine))
    If Len(user) > 0 Then _
      allowed(user) = True
  Loop
End With

Set outFile = fso.OpenTextFile("log.csv", 2, True)
'Perform audit
'Rule: Don't abuse loose typing (like I am).
With fso.OpenTextFile(PCList)
  Do Until .AtEndOfStream
    computer = Trim(.ReadLine)
    If Len(computer) > 0 Then
      Set group = GetObject("WinNT://" & computer & "/Administrators,group")
      For Each user In group.members
        If Not allowed(LCase(user.name)) Then
          outFile.WriteLine computer & "," & user.name
          group.remove user.adspath
        End If
      Next
    End If
  Loop
End With
msgbox "Removed non-standard local admins"

How To Ask Questions The Smart Way


Report •

#14
August 1, 2011 at 23:15:24
I like this; I'm assuming that the userlist.txt will contain all users/groups to exclude? Does each group/user need to contain the speech marks?

"ADMINISTRATOR"
"DOMAIN ADMINS"
"PSEUDOADMIN"


Report •

#15
August 2, 2011 at 08:26:38
One line per user/group, no quotes. Case doesn't matter; everything's converted to lower case internally.

How To Ask Questions The Smart Way


Report •

#16
August 2, 2011 at 22:54:56
Thanks for your help again razor.

Report •

Ask Question