Domain or server local security
groups form the backbone of
the permission assignments
in my development and production
environments. I might grant
permissions to individual users in a handful
of situations, but generally I follow the
best practice of granting permissions
to groups, then adding user IDs to
those groups. To remove a user's
access, I just remove the user's
account from the group. Scripting can
further simplify management of local
groups by letting you quickly
enumerate the membership of the groups,
add and remove members, and
modify group properties.
You can use several local
group-related utilities—Local, Findgrp,
Cusrmgr, MemberOf, and LG—with your
command-shell scripts. Table 1 summarizes what you can use these tools
for and where you can find them. The
following FAQs will help you identify
the best tool for specific situations.
These FAQs include five handy scripts
to demonstrate how to use the tools.
The sample scripts don't use every
feature of these tools, so you'll want to
check each tool's online Help to learn
more about the tool's capabilities. You
can download these scripts, including
instructions for customization, from
the Windows Scripting Solutions Web
site.
The Local, Findgrp, and Cusrmgr
tools are part of the Microsoft Windows
2000 Professional Resource Kit and the
Microsoft Windows 2000 Server
Resource Kit. Microsoft often releases
tools from out-of-date resource kits as
public-domain software. Unfortunately,
the Local, Findgrp, and Cusrmgr tools
aren't among those currently in the
public domain, so you'll need to
obtain a copy of one of the resource
kits or keep checking the Microsoft site
until these tools become available.
The MemberOf and LG tools are
available from the Joeware.net Web site.
Get the FAQs
Are the Global and Local tools
still useful for group enumeration
today? I need a script that will give me
the membership of the local
Administrators, Backup Operators, and Power
Users groups on a list of PCs and
servers in my environment. What tool
should I use, and how can I log the
results to a file?
The Local tool is still useful today,
and I use it frequently. I hardly use the
Global tool because, like most
administrators, I don't use global groups that often anymore. The Global and Local
tools came with the resource kits
before Win2K. One limitation of the
Local tool is that it doesn't work with
nested groups, so the Local command
alone won't be able to determine the
membership of any group that's
nested. Sometimes this limitation
might be crucial, and sometimes it
might not matter. Also, the Local tool
is strictly a query tool and can't
modify group settings. Nevertheless, this
traditional tool is still valuable in
certain situations.
Regarding the script you need, you
can enumerate group members in
several ways. You didn't mention how
many machines you're dealing with, so
the GetAdministratorsAndOtherKeyGroups.bat script, which Listing 1shows, demonstrates two different
ways you can use the Local tool to
check group membership. Callout A in
Listing 1 shows the approach to use to
check group memberships for a large
number of PCs or servers. Callout B in
Listing 1 shows the approach to use for
a small number of machines.
I need to modify some local group descriptions. We include the group owner's phone numbers in the group descriptions. When we need to change a phone number, we have to locate all the groups that the user owns and change the phone number manually. I don't want to change the entire comment, because it contains other group information. I think I could save time by using a script to change the phone number, but what tool should I use and how do I use a script to change just the phone number without losing the other data in the comment field?
You can use the LG tool, a local group modification tool from Joeware.net. The LG tool is like the Local tool on steroids. The CommentReplace.bat script, which Listing 2 shows, demonstrates how to use this tool. This script looks for the phone number you specify in the line at callout A in Listing 2. The script uses the Set substitution command to replace the phone number string with the new phone number, as you can see at callout B. Check out the LG tool's online Help menu for more features.
I'd like to write a simple script that will let our Help desk technicians review or compare user group memberships when users call with permission problems. What utility should my script use, and is there a way to make the script friendly for scripting-illiterate users?
Traditionally, the Findgrp command would be the obvious tool for retrieving a user's group memberships. Like the Local tool, the Findgrp tool was written before Win2K and nested groups became available, so it lists only direct group memberships. But sometimes that's all you need. I'm not sure how much detail you're looking to give your Help desk technicians, so I wrote two scripts. FindUserLocalGroups.bat, which Listing 3 shows, uses the Findgrp tool to retrieve direct group memberships. MemberOf-SorterandCounter.bat, which Listing 4 shows, uses the MemberOf tool from Joeware.net to retrieve both direct and nested group memberships. Both scripts use the Set /P command, which prompts users for input, then assigns the entered input to the specified variable. For example, FindUserLocalGroups.bat displays a prompt that reads Type the domain\UserID and press Enter:, then assigns the entered domain and username to the fgname variable. The Help desk technicians can type or paste the domain and username and get nicely formatted results that can be easily reviewed on screen or copied and pasted into an email message, a document, or a spreadsheet. Both scripts also use the Sort command to alphabetize the group names for easy review.
Our company reorganized, and we need to change the names of the domain local groups. I'm afraid that trying to do this manually in the GUI will take time and introduce errors. How can I script these changes?
Before the Cusrmgr tool became available, you'd have had a difficult time making these changes through a script, but now it's pretty simple. I've written the ChangeLocalGroupNames.bat script, which Listing 5 shows, to help you change the group names. You'll need to create a comma-separated value (CSV) input list with the old group name first and the new group name second. Because you're making wholesale changes, you'll want to thoroughly verify the accuracy of the input list and test a few groups before running the script against the entire group list. I added a log file, so you can see successes and errors for each name-change operation. The Cusrmgr tool can also perform many other group modification functions as well as reset passwords.
Time for a Test Run
Now that you have the FAQs, give the five scripts a try. I tested them on machines running Windows XP Service Pack 2 (SP2). Always test your scripts in a nonproduction environment before rolling them out to production. These scripts and the local group tools they use can save you time in retrieving and modifying local group and user membership information, no matter how large or small your environment is.
End of Article
)
Register
khdba July 27, 2006 (Article Rating: