What's the best way to deploy a Prism Task that adds the domain users group to the local administrator group? I want to run the Task, then undo it later.



Starting with Windows 2000, Microsoft changed how they handle the user information to a much more secure format. This has caused Prism Deploy to be unable to create Packages of user/group account changes. Each user and group has a unique ID on each machine, so a Package that contains something like the local Administrators group really doesn't make any sense to another computer because that computer's local Administrators group is actually something quite different.

That being said, Prism Deploy can deploy Command Tasks that can accomplish the same thing. 

NET Command Option

The first option is to create a Command Task the uses the NET command.  A sample command would look like:

NET LOCALGROUP Administrators /ADD "yourdomainhere\Domain Users"

Be sure to replace yourdomainhere with the name of your domain.  You will need to change the Run as property to run as a domain admin. This Task can then be assigned to any computer that you wish to add the Domain Users group to the local Administrators group.

To undo this, view the properties of the Command Task that you created above. Click the Task tab and then the Uninstall... button. Check the "Use uninstall command" box and enter the following command:

NET LOCALGROUP Administrators /DELETE "yourdomainhere\Domain Users"

Hit OK twice and you're ready to uninstall the Task. Now, when you choose Uninstall the Task for Task, it will actually run the second command.

VBScript Option

The second option is to create a VBScript that can easily do this function. Paste the following into a text file that has been renamed to AddDomainUsers.vbs:

strComputer = "."

strDomain = "yourdomainhere"

Set objLocalGroup = GetObject("WinNT://" & strComputer & "/Administrators")

Set objDomainGroup = GetObject("WinNT://" & strDomain & "/Domain Users")

objLocalGroup.Add(objDomainGroup.ADsPath)

Be sure to replace yourdomainhere with the name of your domain. Make sure this file is in a network shared location and create a Command Task within the Prism Deploy Console (i.e. \\server\share\AddDomainUsers.vbs). You will need to change the Run as property to run as a domain admin. This Task can then be assigned to any computer that you wish to add the Domain Users group to the local Administrators group.

To undo this, create a second VBScript called RemoveDomainUsers.vbs and save it in the network share as well. This script would contain:

strComputer = "."

strDomain = "yourdomainhere"

Set objLocalGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")

Set objDomainGroup = GetObject("WinNT://" & strDomain & "/Domain Users,group")

objLocalGroup.Remove(objDomainGroup.ADsPath)

Again, make sure that you replace yourdomainhere with the name of your domain. To use this new script, view the properties of the Command Task that you created above. Click the Task tab and then the Uninstall... button. Check the "Use uninstall command" box and point to the remove script that you just created (i.e. \\server\share\RemoveDomainUsers.vbs). Hit OK twice and you're ready to uninstall the Task. Now, when you choose Uninstall the Task for your AddDomainUsers Task, it will actually run the RemoveDomainUsers script.