Domain or server local security groups form the backbone of the permission assignments in my development and production environments. I might grant permissions to individual users in a handful of situations, but generally I follow the best practice of granting permissions to groups, then adding user IDs to those groups. To remove a user's access, I just remove the user's account from the group. Scripting can further simplify management of local groups by letting you quickly enumerate the membership of the groups, add and remove members, and modify group properties.
You can use several local group-related utilities—Local, Findgrp, Cusrmgr, MemberOf, and LG—with your command-shell scripts. Table 1 summarizes what you can use these tools for and where you can find them. The following FAQs will help you identify the best tool for specific situations. These FAQs include five handy scripts to demonstrate how to use the tools. The sample scripts don't use every feature of these tools, so you'll want to check each tool's online Help to learn more about the tool's capabilities. You can download these scripts, including instructions for customization, from the Windows Scripting Solutions Web site.
The Local, Findgrp, and Cusrmgr tools are part of the Microsoft Windows 2000 Professional Resource Kit and the Microsoft Windows 2000 Server Resource Kit. Microsoft often releases tools from out-of-date resource kits as public-domain software. Unfortunately, the Local, Findgrp, and Cusrmgr tools aren't among those currently in the public domain, so you'll need to obtain a copy of one of the resource kits or keep checking the Microsoft site until these tools become available. The MemberOf and LG tools are available from the Joeware.net Web site.
Get the FAQs
Are the Global and Local tools still useful for group enumeration today? I need a script that will give me the membership of the local Administrators, Backup Operators, and Power Users groups on a list of PCs and servers in my environment. What tool should I use, and how can I log the results to a file?
The Local tool is still useful today, and I use it frequently. I hardly use the Global tool because, like most administrators, I don't use global groups that often anymore. The Global and Local tools came with the resource kits before Win2K. One limitation of the Local tool is that it doesn't work with nested groups, so the Local command alone won't be able to determine the membership of any group that's nested. Sometimes this limitation might be crucial, and sometimes it might not matter. Also, the Local tool is strictly a query tool and can't modify group settings. Nevertheless, this traditional tool is still valuable in certain situations.
Regarding the script you need, you can enumerate group members in several ways. You didn't mention how many machines you're dealing with, so the GetAdministratorsAndOtherKeyGroups.bat script, which Listing 1shows, demonstrates two different ways you can use the Local tool to check group membership. Callout A in Listing 1 shows the approach to use to check group memberships for a large number of PCs or servers. Callout B in Listing 1 shows the approach to use for a small number of machines.
I need to modify some local group descriptions. We include the group owner's phone numbers in the group descriptions. When we need to change a phone number, we have to locate all the groups that the user owns and change the phone number manually. I don't want to change the entire comment, because it contains other group information. I think I could save time by using a script to change the phone number, but what tool should I use and how do I use a script to change just the phone number without losing the other data in the comment field?
You can use the LG tool, a local group modification tool from Joeware.net. The LG tool is like the Local tool on steroids. The CommentReplace.bat script, which Listing 2 shows, demonstrates how to use this tool. This script looks for the phone number you specify in the line at callout A in Listing 2. The script uses the Set substitution command to replace the phone number string with the new phone number, as you can see at callout B. Check out the LG tool's online Help menu for more features.
I'd like to write a simple script that will let our Help desk technicians review or compare user group memberships when users call with permission problems. What utility should my script use, and is there a way to make the script friendly for scripting-illiterate users?Traditionally, the Findgrp command would be the obvious tool for retrieving a user's group memberships. Like the Local tool, the Findgrp tool was written before Win2K and nested groups became available, so it lists only direct group memberships. But sometimes that's all you need. I'm not sure how much detail you're looking to give your Help desk technicians, so I wrote two scripts. FindUserLocalGroups.bat, which Listing 3 shows, uses the Findgrp tool to retrieve direct group memberships. MemberOf-SorterandCounter.bat, which Listing 4 shows, uses the MemberOf tool from Joeware.net to retrieve both direct and nested group memberships. Both scripts use the Set /P command, which prompts users for input, then assigns the entered input to the specified variable. For example, FindUserLocalGroups.bat displays a prompt that reads Type the domain\UserID and press Enter:, then assigns the entered domain and username to the fgname variable. The Help desk technicians can type or paste the domain and username and get nicely formatted results that can be easily reviewed on screen or copied and pasted into an email message, a document, or a spreadsheet. Both scripts also use the Sort command to alphabetize the group names for easy review.
Our company reorganized, and we need to change the names of the domain local groups. I'm afraid that trying to do this manually in the GUI will take time and introduce errors. How can I script these changes?
Before the Cusrmgr tool became available, you'd have had a difficult time making these changes through a script, but now it's pretty simple. I've written the ChangeLocalGroupNames.bat script, which Listing 5 shows, to help you change the group names. You'll need to create a comma-separated value (CSV) input list with the old group name first and the new group name second. Because you're making wholesale changes, you'll want to thoroughly verify the accuracy of the input list and test a few groups before running the script against the entire group list. I added a log file, so you can see successes and errors for each name-change operation. The Cusrmgr tool can also perform many other group modification functions as well as reset passwords.
Time for a Test Run
Now that you have the FAQs, give the five scripts a try. I tested them on machines running Windows XP Service Pack 2 (SP2). Always test your scripts in a nonproduction environment before rolling them out to production. These scripts and the local group tools they use can save you time in retrieving and modifying local group and user membership information, no matter how large or small your environment is.