Automating Updates to Local Groups on Member Servers

This article was previously published under Q180546
This article has been archived. It is offered "as is" and will no longer be updated.
SUMMARY
Batch files can be used to remotely add user accounts to local groups onall computers running Windows NT or Windows 2000 in adomain environment.
MORE INFORMATION
This article demonstrates how to create a batch file system that will adda user to all local administrators groups located on every computerrunning Windows NT or Windows 2000 within a domain environment.

The batch file system uses Netdom.exe from the Windows NT 4.0 Resource Kitto create a list of computers running Windows NT that are operating asmember servers or workstations in a domain. After the list is created,each computer from the list is pinged to determine if the computer iscurrently online. If the computer is online, Addusers.exe will be calledto place a new user in the computer's local administrators group. If acomputer was online, its name will be placed in a temporary file. Afterall computers have been processed, the temporary file will be compared tothe list of computers from the domain, to create a new list of computersthat have not yet been updated. This batch file system can be run multipletimes to target only the computers that still need to be processed. Copy NETDOM.EXE, ADDUSERS.EXE, and REG.EXE from the Windows NT 4.0 Resource Kit to the folder where the scripts are.

To create these batch files, perform the following steps:

  1. Create the following batch files from the listing below:
    INSUSER.BAT, SUB1.BAT, SUB2.BAT, SUB3.BAT, SUB4.BAT,
    SUB5.BAT, and ADDUSERS.DAT.
  2. Edit the first line of INSUSER.BAT to reflect the domain name where the target computers are located.
  3. Change the <domain\user> in the second line in Addusers.dat to reflect the name of the user you wish to add to each computer's local administrators group. Make sure there is one blank line at the top of the Addusers.dat file.
  4. Log on into the network with domain administrator credentials for the domain you wish to modify. Make sure the Windows NT 4.0 Resource Kit has been installed, and is accessible through the system path. This system uses Netdom.exe and Addusers.exe from the resource kit.
  5. Run the INSUSER.BAT. This batch file may take many hours to complete.
  6. Examine the contents of Complete.txt and Working.txt. The Complete.txt file contains the names of the computers that were updated, the Working.txt file contains the names of the computers that still need processing.
Repeat Steps 5 & 6 as necessary.

If you need to start the entire process over from scratch, delete all .txtfiles, then start at Step 1.

Filename: INSUSER.BAT
set CurrentDomain=mydomainecho offclsif (%CurrentDomain%) == (mydomain) echo Edit the first line ofINSUSER.BAT.if (%CurrentDomain%) == (mydomain) echo then rerun INSUSER.BATif (%CurrentDomain%) == (mydomain) goto verybottomif not exist addusers.dat goto DisplayAddUsersrem *** Display current variable settings ***echo Current domain is %CurrentDomain%.echo.rem *** Determine if working list is present ***If exist working.txt echo Working list detected, resuming batch process.If exist working.txt goto SkipCreateListecho Creating a list of member servers in %CurrentDomain%.echo.netdom /d:%CurrentDomain% member > working.txtrem *** Remove NETDOM formatting from server names ***if exist temp.txt del temp.txtfor /F "skip=6 delims=\ tokens=2" %%a in (working.txt) do call sub1.bat%%adel working.txtren temp.txt working.txt:SkipCreateListrem *** Determine if machine is online ***if exist online.txt del online.txtfor /F "delims=\\ tokens=1" %%a in (working.txt) do call sub2.bat %%arem *** Remove servers that have been processed from WORKING.TXT ***if not exist online.txt goto NoServersOnlineecho.echo Updating list of servers that need to be processed.for /F "delims=  tokens=1" %%a in (online.txt) do call sub4.bat %%aecho List complete.goto Bottom:DisplayAddUsersEcho.Echo. You must modify the contents of ADDUSERS.DA, then rename theEcho. file to ADDUSERS.DAT.  Then re-run this batch file.goto verybottom:NoServersOnlineEcho.Echo There are no servers currently online that can be processed.:Bottomecho.echo ------------------------------------echo --- Finished processing servers. ---echo ------------------------------------:verybottom				

Filename: SUB1.BAT
rem *** Remove formatting from Netdom output ***echo %1 >> temp.txt				

Filename: SUB2.BAT
echo Pinging %1...ping %1 > PING.TXTfor /F "skip=6 tokens=4" %%a in (PING.TXT) do call sub3.bat %%a %1del PING.TXT				

Filename: SUB3.BAT
rem *** If server is online it will be logged in online.txt for ***rem *** processing later.                                       ***rem ***    %2 is a bogus variable, thrown away.if not (%1) == (bytes) goto NotOnlineecho %3 >> ONLINE.TXTecho [%3 is online.]rem ***********************************************rem *** Put per-server processing commands here ***rem ***********************************************rem *** The following section determines if *******rem *** Workstation or Server is running    *******rem ***********************************************REM Next Line wrapped by text editor for readability, it should all be on one linefor /F "delims=	 tokens=3" %%i IN ('reg query hklm\system\currentcontrolset\control\ProductOptions\ProductType \\%3') DO set product_type=%%iREM End single lineif "%product_type%"=="" goto Undeterminedif "%product_type%"=="WinNT" goto Workstationif "%product_type%"=="ServerNT" goto Serverif "%product_type%"=="LanmanNT" goto DomainController:Undeterminedecho Unable to determine Windows NT Product Type, check the followingecho registry key for product typeecho.echo hklm\system\currentcontrolset\control\ProductOptions\ProductTypeecho.echo Expected valuesecho.echo ProductType   Productecho ----------------------------------------------------echo WinNT         Windows NT Workstation is runningecho ServerNT      Windows NT Server is runningecho LanmanNT      Windows NT Domain controllerecho.echo %3 >>undetermined.txtgoto Sub3bot:DomainControllerecho %3 >>dc.txtgoto sub3bot:Serverecho %3 is a Server, skipping...echo %3 >>server.txtgoto adduser:Workstationecho %3 is a Workstation, processing %3echo %3 >> wks.txtgoto adduser:adduserECHO Adding new user to local administrators group on %3.ECHO *** \\%3 *** >> local.logrem Add a user to each member servers local administrators groupADDUSERS \\%3 /C addusers.dat > nulrem *****************************************************rem net send %3 "it worked"rem *** Put per-server processing commands above here ***rem *****************************************************goto Sub3Bot:NotOnline:Sub3Bot				
Filename: SUB4.BAT
rem *** loop thru each name in working.txt and remove servers that were***rem *** in online.txt.***echo Removing %1 from list.if exist temp.txt del temp.txtfor /F "tokens=1" %%a in (working.txt) do call sub5.bat %%a %%1del working.txtif exist temp.txt ren temp.txt working.txt				

Filename: SUB5.BAT
rem *** Filter out servers that have been updated ***rem %1 is name from working.txtrem %2 is name from online.txtif (%1) == (%2) echo %1 >> complete.txtif not (%1) == (%2) echo %1 >> temp.txt				

Filename: ADDUSERS.DAT
[Local]Administrators,Members can fully administer the computer,<domain\user>,				

Additionally, you can configure these batch files to execute the singlecommand on workstations or servers only, see Specifying Servers orWorkstations.

Specifying Servers or Workstations

By replacing the SUB3.BAT with the following batch file, REG.EXE from thereskit is used to check the product type in the registry (server,workstation or domain controller). By changing the goto command in the:server and :workstation sections, you can control if the command is runagainst server or workstations as follows:

GOTO Sub3bot - This product type will be skipped.GOTO Adduser - Commands in :addusers section will be processed againstthis product type.

Currently, only workstation is selected.The contents of complete.txt can be ignored when using this modifiedsub3.bat. Check LOCAL.LOG to determine which machines have been updated.Here's a description of the log files that may be generated.

LOCAL.LOG - Machines that have been updated.

WKS.TXT - Machines that have been identified as workstations.

SERVER.TXT - Machines identified as SERVERS.

UNDETERMINED.TXT - Machines that are identified in server manager as aserver or workstation but do not have the product type defined in theregistry. Or the registry could not be read remotely.

DC.TXT - Machines that are identified in server manager as a server orworkstation but the product type defined in the registry indicates this isa domain controller. These system will not be processed.

WORKING - Contains a list of machines that are listed in server managerbut did respond to PING. This list is used when running the batch files asecond or third time.

Filename SUB3.BAT
rem *** If server is online it will be logged in online.txt for ***rem *** processing later.                                       ***rem ***    %2 is a bogus variable, thrown away.if not (%1) == (bytes) goto NotOnlineecho %3 >> ONLINE.TXTecho [%3 is online.]rem ***********************************************rem *** Put per-server processing commands here ***rem ***********************************************rem *** The following section determines if *******rem *** Workstation or Server is running    *******rem ***********************************************REM Next Line wrapped by text editor for readability, it should all be onone linefor /F "tokens=3" %%i IN ('reg queryhklm\system\currentcontrolset\control\ProductOptions\ProductType \\%3') DOset product_type=%%iREM End single lineif "%product_type%"=="" goto Undeterminedif "%product_type%"=="WinNT" goto Workstationif "%product_type%"=="ServerNT" goto Serverif "%product_type%"=="LanmanNT" goto DomainController:Undeterminedecho Unable to determine Windows NT Product Type, check the followingecho registry key for product typeecho.echo hklm\system\currentcontrolset\control\ProductOptions\ProductTypeecho.echo Expected valuesecho.echo ProductType   Productecho ----------------------------------------------------echo WinNT         Windows NT Workstation is runningecho ServerNT      Windows NT Server is runningecho LanmanNT      Windows NT Domain controllerecho.echo %3 >>undetermined.txtgoto Sub3bot:DomainControllerecho %3 >>dc.txtgoto sub3bot				

Properties

Article ID: 180546 - Last Review: 02/24/2014 08:32:09 - Revision: 2.2

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows NT Workstation 3.5
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 3.5
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows 2000 Advanced Server
  • kbnosurvey kbarchive kbinfo KB180546
Feedback