VBSCRIPT: Add New Domain’s Admins to Local Administrators Programmatically
In order for Active Directory Migration Tool (ADMT) to install its Agent on a newly migrated computer, the user running the ADMT tool must have local Administrator access. Otherwise, the error log shows something similar to the following:
WRN1:7290 Processor architecture for machine \NT4MACHINE is unknown, Error accessing registry key SYSTEM\CurrentControlSet\Control\Session Manager\Environment rc=5 Access is denied.
Failed to install agent on \NT4MACHINE, rc=5 Access is denied. Unable to access ADMIN$ share on the machine 'NT4MACHINE'. Make sure the share exists and the account running ADMT is a member of local administrators group on the machine 'NT4MACHINE'. hr=0x80070005. Access is denied.
Here is a basic script that will go through each of the Windows workstations on the old domain and add the new domain's "Domain Admins" group to the workstation's local Administrators group. If the machine is a Windows Server OS, it will be ignored. Change the newDomain and oldDomain variables to match your network.
newDomain = "NEW2K3"
oldDomain = "OLDNT4"
Set objADGroup = GetObject("WinNT://" & newDomain & "/Domain Admins,group")
Set objOldDomain = GetObject("WinNT://" & oldDomain)
objOldDomain.Filter = Array("Computer")
For Each Computer In objOldDomain
strComputer = Computer.Name
Set objWMIService = GetObject("winmgmts:" & strComputer & "\root\cimv2")
Set colSettings = objWMIService.ExecQuery ("SELECT * FROM Win32_OperatingSystem")
For Each objOperatingSystem in colSettings
If InStr(UCase(objOperatingSystem.Name),"SERVER") = 0 Then
Set objLocalGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
objLocalGroup.Add(objADGroup.AdsPath)
Set objLocalGroup = Nothing
End If
Next
Set colSettings = Nothing
Set objWMIService = Nothing
Next
Set objADGroup = NothingAlso, if you do not have the workstation's primary DNS server set to the new domain's DNS servers, ADMT will quit with the following error: ERR3:7075 Failed to change domain affilation, hr=8007054b The specified domain either does not exist or could not be contacted.
oldDomain = "OLDNT4"
DNSServerArray = "192.168.1.1,192.168.1.2"
Set objOldDomain = GetObject("WinNT://" & oldDomain)
objOldDomain.Filter = Array("Computer")
For Each Computer In objOldDomain
strComputer = Computer.Name
Set objWMIService = GetObject("winmgmts:" & strComputer & "\root\cimv2")
Set colSettings = objWMIService.ExecQuery ("SELECT * FROM Win32_OperatingSystem")
For Each objOperatingSystem in colSettings
If InStr(UCase(objOperatingSystem.Name),"SERVER") = 0 Then
arrNewDNSServerSearchOrder = Array(DNSServerArray)
Set colNicConfigs = objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True")
For Each objNicConfig In colNicConfigs
intSetDNSServers = objNicConfig.SetDNSServerSearchOrder(arrNewDNSServerSearchOrder)
If intSetDNSServers = 0 Then Wscript.Echo "Oops, problem on " & strComputer
Next
End If
Next
Set colSettings = Nothing
Set objWMIService = Nothing
NextAlso, that probably won't be effective on machines set to accept DNS servers via DHCP, though I haven't tested. Be sure you reboot after resetting the DNS, otherwise, you'll run into the following error: The ADSI property cannot be found in the property cache ErrCode=8000500d Go ahead and reboot the workstation, it should solve the problem.
About
-
We are IT consultants
who grew up living and loving life
in Cajun Country.
Authors
Categories
What's Your Job Title?
Loading ...
information
wants to be free
July 31st, 2006 - 10:54
Is your script for adding Domain Admins to the local Administrators group supposed to be run on the domain controller of the old domain or the new domain? Running on the old domain produces an invalid syntax error on line 4, and running on the new domain controller throws an error on line 6 about TheDomain.Filter being undefined.
thanks,
-Jim
August 1st, 2006 - 16:51
Hey Jim,
I ran this on the new domain controller though you should be able to run it on any computer that both domains trust.
You are right about the TheDomain, I changed the object name to be more representative in one place and forgot to change it in the other. I’ve updated the script.
Let me know how it works for you!
October 31st, 2006 - 06:02
Running your script on the old NT 4.0 domain produces an invalid syntax error on line 4, and running on the new domain controller throws an error on line 6 about TheDomain.Filter being undefined.
I am also getting errors about the object.
I could really use this script if it works. Please Help me!
October 31st, 2006 - 09:48
Eric,
Where did you find the object”TheDomain” ? It was in there months ago but I removed it. Even checked the source code for this page and the first hit for “TheDomain” was in your comment.
As for NT 4, I have no idea.. I suggest running it on the new trusted domain instead.
June 3rd, 2007 - 19:16
Hi chrissy
i have one win2k server and one 2k3 server i am migrating user from win2k to win2k3 i want to add win 2k3 admin to all client pc admin group.
all client pc is login to win2kpc
the above script will work for my structure?
where i can put the scripte
my domain name of win2k is abc and domain controller name is test. the full name is test.abc
and my domain name of win2k3 is xyz.com and domain contrller name is dc. the full name is dc.xyz.com
pls guid me
wher i can change and what i can change in ur script
and whre i can put the script
all the user is loagin to win2k server
pls
i am waiting for you answer
June 30th, 2008 - 01:46
yogmxdt dcqbyte lkjh qamypitg jzisl cmheqrb ynrqb