Announcement

Collapse
No announcement yet.

startup GPO script works on windows 2000 but not XP clients

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • startup GPO script works on windows 2000 but not XP clients

    This script works great on windows 2000 OS but does not work on Windows XP. Can someone help me figure this out??



    Using Group Policy and a Script to Remove everyone except the administrator and the domain admins group from the local administrators group of workstations on a domain.


    I


    Created an OU in active diretory users and computers call TestEnviroment.
    Created a GPO called "RemoveUsers"

    Computer Configuration --> Windows Settings --> Scripts(Startup/Shutdown) --> Startup

    added localaccount.vbs script

    when my windows 2000 clients boot it works. But the script does not work with my Windows XP clients.


    But if I login to one of the windows xp clients and run the stript it works.

    I don't understand why the script run on startup for my windows 2000 clients but does not run on startup for windows xp clients...but if I login to XP clients and run the script it works..

    Any ideas or thoughts how I can solve this issse??



    Code:
    strComputer = "."
    
    Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
    
    For Each objUser In objGroup.Members
        If objUser.Name <> "Administrator" and objUser.Name <> "Domain Admins" Then
            objGroup.Remove(objUser.AdsPath)
        End If
    Next

  • #2
    Re: startup GPO script works on windows 2000 but not XP clients

    Hi.

    This is not a exact solution to your script problem, but you can use Group Policy setting ' Restricted groups ' to do the same thing.

    It is located in GPO at: Computer Configuration - Windows Settings - Security Settings - Restricted Groups

    Here is some information about it : http://www.windowsecurity.com/articl...ed-Groups.html
    Last edited by KristoT; 19th March 2006, 22:14.

    Comment


    • #3
      Re: startup GPO script works on windows 2000 but not XP clients

      I have a similar issue. A startup script that modifies the local admins account isn't running on all of our machines.

      Comment


      • #4
        Re: startup GPO script works on windows 2000 but not XP clients

        Are you sure that the GPO is successfully applied to your Windows XP?
        On one of these machines open a command prompt and run gpresult.
        See if your GPO is in the list of Applied GPOs
        I tested and it worked on a Windows 2003 server.
        Regards,
        Csaba Papp
        MCSA+messaging, MCSE, CCNA
        ...............................
        Remember to give credit where credit is due and leave reputation points where appropriate
        .................................

        Comment


        • #5
          Re: startup GPO script works on windows 2000 but not XP clients

          I have same problem, but I think your windows Xp is SP2, right.
          My problem is not occured when startup script run on Win 2k , and Xp sp1.

          Try to run your setup by program psexec.exe.
          psexec is one tools from PsTools v2.43 By Mark Russinovich,
          see http://www.microsoft.com/technet/sys...s/PsTools.mspx.

          Eg. psexec.exe setup /accepteula -s setup.exe

          Hope this help!

          Comment


          • #6
            Re: startup GPO script works on windows 2000 but not XP clients

            Originally posted by KuK View Post
            I have same problem, but I think your windows Xp is SP2, right.
            My problem is not occured when startup script run on Win 2k , and Xp sp1.

            Try to run your setup by program psexec.exe.
            psexec is one tools from PsTools v2.43 By Mark Russinovich,
            see http://www.microsoft.com/technet/sys...s/PsTools.mspx.

            Eg. psexec.exe setup /accepteula -s setup.exe

            Hope this help!
            Hi KuK,

            This topic was not about opening an exe-file at startup. Your problem was therefore not the same.
            And why should 'cedtech23' try your solution, if you still having the problem you descibed? uhh.doesn't make much sense does it?
            You showed a command-line for psExec that is using the "automatically confirmation for the EULA dialogue"-switch. The correct command line should be to my opinion (?):
            \\...\psexec.exe -accepteula -s \\...\setup.exe -accepteula
            (the second -accepteula is a workaround needed for versions of psExec those are 'eating' the first -accepteula )
            Hope this helps you.

            - - - -

            The topic is about the code of a script that seems not performing well during start up of the computers having a new OS.
            I think the script that is showed should work normally during startup of WinXP.
            (More about the WinNT provider: http://www.rlmueller.net/WinNT_Binding.htm).

            The best suggestion was made by 'KristoT', to use RestrictedGroups and not control this by script at all. Else, trouble shoot the application of the GPO like 'netxt' suggested.

            Note...
            If there is a reason to delete added (!?) useraccounts from the Local Administrators Group -> then there is a real change you are already to late! The name of the Group or, the Administrator's name could be renamed. And a local user account can named Administrator and added to the Group. Then this script will do not much good anymore!

            A more thorough approach
            Code:
            ' ControlLocalAdministrators.vbs
            ' http://forums.petri.com/showthread.php?t=7237
            
            Set wshNetwork = CreateObject("WScript.Network")
            strComputer = wshNetwork.ComputerName
            strDomain = wshNetwork.userDomain
            
            'Determine CurrNameLocGroup(Administrators)
             Set regEx = New RegExp
             regEx.IgnoreCase = False
             regEx.Pattern = "^S-1-5-32-544$"
             Set objGroups = GetObject("winmgmts:").ExecQuery("select * from" _
                 & " Win32_Group where Domain = '" & strComputer & "'")
             For each objGroup in objGroups
              If regEx.Test(objGroup.SID) then _
              strLocAdmins = objGroup.Name
              Exit For
             Next
            
            'Determine CurrNameLocUser(Administrator)
             Set regEx = New RegExp
             regEx.IgnoreCase = False
             regEx.Pattern = "^S-1-5-21-\d{8,}-\d{8,}-\d{8,}-500$"
             Set objUsers = GetObject("winmgmts:").ExecQuery("select * from" _
                 & " Win32_UserAccount where Domain = '" & strComputer & "'")
             For each objUser in objUsers
              If regEx.Test(objUser.SID) then _
              strLocAdmin = objUser.Name
              Exit For
             Next
            
            'Locate DomainGroup(Domain Admins)
            DNPath1 = "WinNT://"& strDomain &"/Domain Admins"
            '(here is not used the SID ( S-1-5-domain-512 ) to determine the actual/real name of the group, since only Domain Administrators are able to change that. If you did made end users member of the Domain Admins goup, there is much more to concern.)  
            
            
            '-----------------------------
            'Controlling Group Membership
            '-----------------------------
            On Error Resume Next
            Set objGroup = GetObject("WinNT://"& strComputer & _
                           "/"& strLocAdmins &",group")
            For each objMember In (objGroup.Members)
              If Not objMember.name = strLocAdmin then _
              objGroup.Remove(objMember.ADsPath)
            Next
            
            If Not objGroup.IsMember(DNPath1) Then objGroup.Add(DNPath1)   '(!!!)
            
            wscript.quit(0)   '(Do not forget - also to change the password of the local Administrator account)
            EDIT:
            important! This script will only control the members of the group, but be aware of the posssibility a user who was a member of the local administrators group might have changed the password of the local Administrator that time, then he/she is still able to re-do your local settings again. Therefore along with deleting users from the local Administrators group, you must also change the password of the local Administrator.
            You can do it all with the same script - and use the variable "strLocAdmin" to give the new password to, because that is for sure THE Administrator.
            security: Do not write the new Administrator password as plain text in the script. You could hide the password in the GPO by adding the password only to the 'script Parameters'-bar in the GPO. And in the script use 'scriptArguments' to read the parameters (example how to use script arguments: http://forums.petri.com/showthread.p...9749#post59749, and in the main part of this script you can also see example code that can reset the password)


            \RemS
            Last edited by Rems; 16th June 2007, 22:44.

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment

            Working...
            X