Submitted By: Alan Mosley

Removes all domain users from the Local Administrators group on a computer, then adds those users to the Power Users group on that same machine.

Visual Basic
Edit|Remove
' Removes domain users from local Administrators group and adds then to local Power Users Group
' from all computers in the active directory

' By Alan Mosley
' 21 August 2007

'The statement 
' computer <> "DC1" AND computer <> "DC2" 
'excludes computers DC1 and DC2 from being affected

'The statement 
' wUser.Name <> "Administrator"
'excludes the Domain Administrator from being removed

'change netbios abd ldap domain strings 
' netbios = "fabrikam"
' ldapDomain = "LDAP://dc=fabrikam,dc=com"

on error resume next
Const ADS_SCOPE_SUBTREE = 2

netbios = "fabrikam"
ldapDomain = "LDAP://dc=fabrikam,dc=com"

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
    "Select Name, Location from '"& ldapDomain &"' " _
        & "Where objectClass='computer'"  
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

dim computers()
dim ub:ub = 0

Do Until objRecordSet.EOF
    redim preserve computers(ub)
    computers(ub) = objRecordSet.Fields("Name").Value
    objRecordSet.MoveNext
    ub = UBound(computers)+1
Loop

for each computer in computers
    if computer <> "DC1" AND computer <> "DC2" then
        Set aGroup = GetObject("WinNT://" & computer & "/Administrators")
          On Error Resume Next
          For Each aMember In aGroup.Members
                If aMember.Class = "User" Then
                dim domainUser: domainUser = "WinNT://"& netbios &"/"& aMember.Name &",user"
                      Set wUser = GetObject( domainUser )
                      If Err.Number = 0 and wUser.Name <> "Administrator" Then
                        Wscript.echo wUser.Name
                        WScript.Echo wUser.ADsPath
                        Set puGroup = GetObject("WinNT://" & computer & "/Power Users")
                        puGroup.Add  (wUser.ADsPath)
                        aGroup.Remove wUser.ADsPath
                      else
                      err.Clear 
                      End If
                end if
          next
    end if  
next