Batch Add Domain Users to a Local Security Group on Domain Hosts
You can run a script to automate adding the user that the Agent runs under to the local Backup Operators group (or Administrators group, if collecting from Windows XP workstations). You can run the script manually on each host the Agent needs access to, or it can be pushed via Group Policy Object (GPO).
- Configure the script for execution.
- Create a new text file, name it AddLogRhythmUser.vbs, and save it in an accessible location.
Open the script in Notepad, and copy the following code into the file:
CODE'********** 'Add User To Local Group Script 'Copyright 2007 LogRhythm, Inc. 'Last Updated: 8/29/2007 'Function: ' This script will add the specified domain account to a specified local group ' It can be added to a GPO to apply the change across the hosts managed by the GPO '********** function add_to_local_group( machine, account, local_group_name ) set object_to_add = GetObject("WinNT://" & account ) set local_group = GetObject("WinNT://" & machine & "/" + local_group_name & ",group") On Error Resume Next local_group.Add( object_to_add.AdsPath ) end function 'Constants - do not change '********* this_machine = "." '********** 'Variables - change the following values '********** 'Change the value to the domain user you want added to the local group. Change should be in the format of [DomainName/UserName].domain_account = "DOMAIN/USERNAME" 'Change the value to the name of the local group you want the domain user added to. LogRhythm recommends the Backup Operators group.admin_group_name = "Backup Operators" '********** call add_to_local_group(this_machine, domain_account, admin_group_name)
- Edit the domain_account = "DOMAIN/USERNAME" variable (line 25), to reference the local domain, and the user that will be used by the Agent service to log on.
- If collecting from Windows XP workstations, edit the admin_group_name = "Backup Operators" variable (line 28), to reference the local Administrators group. It should read admin_group_name = "Administrators".
- Save the file.
- Run the script on the hosts by doing one of the following:
- To run the script locally, copy it to the host where group membership will be modified, and double-click it.
- To configure the domain GPO to cause the script to run on system boot:
- Click Active Directory Users and Computers.
The Active Directory Users and Computers window appears. - On the Organizational Unit (OU) that contains the computer account objects, right-click the OU.
- Click Properties.
- Select the Group Policy tab.
- Select the GPO in effect.
- Edit the GPO.
- In the Group Policy Object Editor MMC, go to Computer Configuration and click Windows Settings.
- Click Scripts.
- Click Startup.
- Right-click the selection and click Properties.
- Click Show Files.
A Windows Explorer window to the startup scripts folder of the GPO appears. - Drag, paste, or move the AddLogRhythmUser.vbs script into the folder.
- To return to the GPO dialog box, close the Windows Explorer window .
- Click Add.
- Select the AddLogRhythmUser.vbsscript. No Script Parameters are needed.
- To add the script, click OK.
To save the setting, click OK.
On the next boot, the Agent's user account will be added to the local Backup Operators group on all machines that this GPO controls.The script is stored in the GPO itself and does not reference the file. Host machines need no access to the script file itself.
- Click Active Directory Users and Computers.