This script will add or remove a domain user from the local admin group based upon their membership to an Active Directory group. You basically just drop the user into the specified group, and the script does the rest. If the user is removed from the AD group, they will be removed from the local admin group.
I tested this in the System Account, so it can be deployed using desktop management software (preferably as a regular policy), or even as part of a login script.
Things to note:
- Was tested in W7 and W10.
- Was tested in the system account security context.
- Tested locally and in desktop management software.
- If user is not logged in, the script will exit.
- To acquire the current user from the system account, I query the explorer.exe process and return the user.
- It does work with nested AD groups.
- Compile this script, if used in production.
'I've left some simple logging in place, 'which I used for testing in the SYSTEM ACCOUNT 'you can remove it if not needed Option Explicit 'on error resume next Dim objRootDSE, objDBConnection, objRecord, objList, strDomain, strADGroup, strDB Dim StrGroupDN, strSpace, strCurrentUser, MembershipStatus, strComputer, Return Dim strNameOfUser, ReturnedUserName, objShell, strUserDomain, colProcesses, objProcess Set objShell = CreateObject("Wscript.Shell") 'IS USER LOGGED IN? UserLoggedInStatus() 'AD GROUP - AD GROUP TO QUERY - GROUPS CAN BE NESTED 'SYSTEM ACCOUNT: NO ISSUES strADGroup = "AD_Group_Name_Here" 'COMPUTERNAME 'SYSTEM ACCOUNT: NO ISSUES 'set this computer name strComputer = objShell.ExpandEnvironmentStrings("%COMPUTERNAME%") strComputer = trim(strComputer) strComputer = lcase(strComputer) 'DOMAIN OR WORKGROUP 'SYSTEM ACCOUNT: NO ISSUES strUserDomain = objShell.ExpandEnvironmentStrings("%USERDOMAIN%") strUserDomain = trim(strUserDomain) strUserDomain = lcase(strUserDomain) 'used for logging - can be removed if not needed objShell.run "cmd / md c:\setup",0,true 'WORKGROUP STATUS 'IF WORKGROUP IS FOUND, EXIT 'return in user context if strUserDomain = strComputer then objShell.run "cmd /c echo user context workgroup>C:\setup\_ComputerType.txt",0,false Leave() 'return in SYSTEM ACCOUNT elseif strUserDomain = "workgroup" then objShell.run "cmd /c echo system account workgroup>C:\setup\_ComputerType.txt",0,false Leave() elseif strUserDomain = "OtherWorkgroupName" then objShell.run "cmd /c echo system account workgroup>C:\setup\_ComputerType.txt",0,false Leave() else objShell.run "cmd /c echo " & strUserDomain & ">C:\setup\_ComputerType.txt",0,false end if 'DOMAIN 'SYSTEM ACCOUNT: NO ISSUES Set objRootDSE = GetObject("LDAP://RootDSE") strDomain = Trim(objRootDSE.Get("DefaultNamingContext")) 'USERNAME 'SYSTEM ACCOUNT: NO ISSUES 'Returns username from explorer.exe process GetUserName() strCurrentUser = ReturnedUserName strCurrentUser = trim(strCurrentUser) strCurrentUser = lcase(strCurrentUser) objShell.run "cmd /c echo " & strCurrentUser & ">C:\setup\_CurrentUser.txt",0,false 'some simple validation if strCurrentUser = strComputer & "$" then Leave() if strCurrentUser = "" then Leave() if strCurrentUser = "system" then Leave() 'Group membership is false(disabled) by default MembershipStatus = "False" 'SET AD DB strDB = "Select ADsPath From 'LDAP://" & strDomain & "' Where ObjectCategory = 'Group' AND Name = '" & strADGroup & "'" Set objDBConnection = CreateObject("ADODB.Connection") objDBConnection.Provider = "ADsDSOObject": objDBConnection.Open "Active Directory Provider" Set objRecord = CreateObject("ADODB.Recordset") 'CONNECT TO AD objRecord.Open strDB, objDBConnection 'TEST CONNECTION 'Can't find group - exiting now if objRecord.EOF = True then Leave() end if 'SCAN THROUGH TO END OF GROUPS 'if at end, leave If objRecord.EOF Then 'Group not found on error resume next 'If not at end, access next group Elseif Not objRecord.EOF Then on error resume next objRecord.MoveLast: objRecord.MoveFirst While Not objRecord.EOF StrGroupDN = Trim(objRecord.Fields("ADsPath").Value) Set objList = CreateObject("Scripting.Dictionary") strSpace = " " NestedADMembers StrGroupDN, strSpace, objList, strCurrentUser Set objList = Nothing objRecord.MoveNext Wend End If 'ONCE COMPLETE, CHECK MEMBERSHIP STATUS If MembershipStatus = "True" then AccessGranted() Else RemoveAccess() end if 'Exit Leave() 'MY SUBs AND FUNCTIONS 'Grant admin access Sub AccessGranted() on error resume next 'SYSTEM ACCOUNT: NO ISSUES objShell.run "cmd /c echo GRANT ACCESS>C:\setup\_AccessStatus.txt",0,false objShell.run "net localgroup administrators " & strUserDomain & "\" & strCurrentUser & " /add",0,false WScript.Sleep 2000 end sub 'Remove admin access Sub RemoveAccess() on error resume next 'SYSTEM ACCOUNT: NO ISSUES objShell.run "cmd /c echo REMOVE ACCESS>C:\setup\_AccessStatus.txt",0,false objShell.run "net localgroup administrators " & strUserDomain & "\" & strCurrentUser & " /delete",0,false WScript.Sleep 2000 end sub 'Exit Sub Leave() on error resume next objRecord.Close: Set objRecord = Nothing objDBConnection.Close: Set objDBConnection = Nothing Set objRootDSE = Nothing WScript.Sleep 5000 WScript.Quit end sub 'Cycles through main Group Sub MainADGroup(ADPath, strSpace, objList, strCurrentUser) on error resume next Dim objADGroup, objADMember, strADMember Set objADGroup = GetObject(ADPath) For Each objADMember In objADGroup.Members strADMember = trim(objADMember.sAMAccountName) strADMember = lcase(strADMember) 'SYSTEM ACCOUNT: NO ISSUES objShell.run "cmd /c echo " & strADMember & ">>C:\setup\_GroupMembers.txt",0,false if strADMember = strCurrentUser then MembershipStatus = "True" end if Next End Sub 'Cycle through Nested Groups Function NestedADMembers (ADPath, strSpace, objList, strCurrentUser) on error resume next Dim objGroup, objMember, strGroupMember Set objGroup = GetObject(ADPath) Set objShell = CreateObject("Wscript.Shell") For Each objMember In objGroup.Members strGroupMember = trim(objMember.sAMAccountName) strGroupMember = lcase(strGroupMember) 'SYSTEM ACCOUNT: NO ISSUES objShell.run "cmd /c echo " & strGroupMember & ">>C:\setup\_GroupMembers.txt",0,false if strGroupMember = strCurrentUser then MembershipStatus = "True" end if If Strcomp(Trim(objMember.Class), "Group", vbTextCompare) = 0 Then If objList.Exists(objMember.ADsPath) Then 'do nothing Else objList.Add objMember.ADsPath, 1 MainADGroup objMember.ADsPath, strSpace & " ", objList, strCurrentUser End If End If Next End Function 'Returns Username from explorer.exe Function GetUserName() on error resume next strComputer = "." Set objShell = CreateObject("Wscript.Shell") Set colProcesses = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2").ExecQuery("Select * from Win32_Process Where Name = 'explorer.exe'") For Each objProcess in colProcesses Return = objProcess.GetOwner(strNameOfUser) 'SYSTEM ACCOUNT: NO ISSUES objShell.run "cmd /c echo " & strNameOfUser & ">C:\setup\_ExplorerProcessUser.txt",0,false If Return <> 0 Then 'no owner Else ReturnedUserName = strNameOfUser End If Next End function 'Returns if user is logged on Function UserLoggedInStatus() on error resume next Dim LoggedInStatus, objWMIService, colItems, strComputer, objshell, objItem Set objShell = CreateObject("Wscript.Shell") strComputer = "." Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2") Set colItems = objWMIService.ExecQuery("Select * from Win32_ComputerSystem",,48) For Each objItem in colItems LoggedInStatus = trim(objItem.UserName) & "" next if LoggedInStatus = "" then 'SYSTEM ACCOUNT: NO ISSUES UserLoggedInStatus = FALSE objShell.run "cmd /c echo " & UserLoggedInStatus & ">C:\setup\_LogonStatus.txt",0,false WScript.Quit(0) end if if LoggedInStatus <> "" then 'SYSTEM ACCOUNT: NO ISSUES UserLoggedInStatus = TRUE objShell.run "cmd /c echo " & UserLoggedInStatus & ">C:\setup\_LogonStatus.txt",0,false end if Set objItem = Nothing Set colItems = Nothing Set objWMIService = Nothing End function