Need to add Computer account to local admins - wntMemberSet errors

[limnos]

The only command I know to add an account would be wntMemberSet, but it returns an "invalid user\group name" when I try to add a computer based account to local admins using WB script.  Is there any way to add a computer account with WB script to the local admins group?  Obviously, this can be done with VB script, but I want to use WB if possible.

[Deana]

See wntUserAddDat and wntUserAdd in the Win32 Network Extender help file.

Here is a Win32 Network Extender sample:

Code (winbatch) Select Expand


username = "fflintstone"   ;USERNAME TO ADD
first = "Fred"                   ;USERS FIRSTNAME
last =  "Flintstone"           ;USERS LASTNAME
pswd = "bambam"            ;USERS PASSWORD
If !wntUserExist("", username,0) Then
      wntUserAddDat("name",first)
      wntUserAddDat("full_name",StrCat(first," ",last))
      wntUserAddDat("comment",StrCat(first," ",last, " User Account"))
      wntUserAddDat("password",pswd)
      wntUserAddDat("flags",1)
      wntUserAddDat("acct_expires","0000:00:00:00:00:00")
      wntUserAdd("")
      Display(2,Title,"Added Account")
Else
      Display(2,Title,"Account Already Exists")
EndIf
If   wntMemberSet("","Administrators",username,@LOCALGROUP,0) Then
      Display(2,Title,"Added to Group")
Else
      Display(2,Title,"Unable to add to Group, or Already a member.")
EndIf
Display(2,Title,"Operation Complete.")
Exit

If you working with an Active directory environment, here is an example of how it is done with the ADSI extender:  http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/nftechsupt.web+WIL~Extenders/ADSI+Add~a~user~to~a~OU.txt

[limnos]

Yeah, tried that already. The rub is I need to add a "computer" account, not a user or group.  Which isn't normally done.  That command definitely chokes on adding a computer account to a local group in an active directory environment.  But, quick and dirty solution:  create a .cmd file with this in it:  Net localgroup Administrators AD\COMPUTERNAME$ /ADD  Then just copy that down and run the cmd with a winbatch wrapper.  Works like a charm.

[td]

Assuming that the computer to be added and the computer who's group you are adding to are members of the same domain or workgroup, you might be able to use the ADSI extender's dsAddToGrp function to accomplish the same task.  You would also likely need to use the "WinNT://" namespace in your paths instead of the more common "LDAP://" namespace.

I haven't tried to so I can't say for sure that it would work.

[Deana]

Sorry I missed that fact that is was a computer account. Tony's right...use the ADSI extender's dsAddToGrp function:
http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/tsleft.web+WIL~Extenders/ADSI/Samples~from~Users+Add~Computer~to~an~Active~Directory~Group.txt

[ChuckC]

Just out of curiosity...

When attempting to use wntMemberSet() to make a computer account a member of the built-in Administrators group on a domain member computer, what were the actual parameter values that were specified in the function call?  In particular, wast the computer account name "<computer>$", where "<computer>" is the NetBIOS name of the computer?

[td]

Good question.   One would think the wntMemberSet function should be able to add a computer to the admin group.

[ChuckC]

I vaguely recall that the extender did some validation of the value of a SidUse output parameter that identified the type of account that the SID is associated with.  Perhaps that validation code is only allowing user and group accounts to be processed and is returning an error for other account types.  Remember, this code was originally written for use with WinNT v4.0, and so it is dealing with SAM Account types, not AD object types, and so there may be some weirdness involved when trying to use the SAM Account for a computer in AD as the member that is being added to a local group on a workstation or server.