Scanning - Access is Denied

Assumptions: You have the "Group Policy Management" interface installed. You are going to create a new Group Policy Object for this code.

Some information: This process will actually work in a 2008 domain, however, 2008 Domains have the ability to manage the local administrators group builtin, so you don't have to use a script. Depending on how you have your group policies set to kick off and how you have the machines setup to scan (I am using Group Policy to scan with lsclient) you might need to reboot twice for this process to work (I have to reboot twice on some machines, but not others, depends which script kicks off first).

Script: This is a script I made with a lot of information from Microsoft's "Hey, Scripting Guy!" pages. The script will be in the Code block. Save this with a .vbs extension. You must update 2 lines based on your environment, line 9 and 11 (your domain (and yes I know I could detect the domain name in some environments - but not mine) and username). As with any script, make sure you test it before you use it. I will not be held responsible for anything negative this script does (gotta have a little disclaimer). It is a very simple script that attaches to a machine, checks to see if the user is in the local administrators group and adds them if they are not.

'--------------------
'The script will check to see if a group is part of the local
'administrators group and if it is not, add it.
'--------------------
Set WshShell = CreateObject("WScript.Shell")
strLocalCompName = WshShell.ExpandEnvironmentStrings("%computername%")

'Define domain name here here
strDomainName = "<--ENTER DOMAIN NAME HERE-->"
'Define username here
strUser = "<--ENTER USER NAME HERE-->"
strStatus = "Not Found"

'Attach to the local Administrators group
Set objGroup = GetObject("WinNT://" & strLocalCompName & "/Administrators")

'Loop through all objects in the Group
For Each objUser In objGroup.Members
	'Check to see if the object is the one we want to add
	If InStr(LCase(objUser.ADsPath), LCase("WinNT://" & strDomainName & "/" & strUser)) Then
		strStatus = "Found"
	End If
Next

'Was the group found, if not add it
If strStatus = "Found" Then
	'Do Nothing
Else
	objGroup.Add "WinNT://" & strDomainName & "/" & strUser & ""
End If

Group Policy Setup:
1. Open "Group Policy Management".
2. Right-Click on the OU You want to create the GP on, choose "Create and Link a GPO Here..."
3. Give it a name
4. Right-Click on the new policy and choose "Edit..."
5. Expand "Computer Configuration" --> "Windows Settings" --> Select Scripts
6. Right Click Startup, choose Properties
7. Click the "Show Files..." button near the bottom of the page
8. Save the VBS script to this location (you don't HAVE to save it here, but it needs to be somewhere where the computer account can access)
9. Go back to the Startup Properties window, Click "Add..."
10. Browse to, or type in the path name of the file (if you saved it to the spot opened in 7 and 8, you can just type in the script name, the full path probabaly won't appear if you browse to it anyway)
11. Exit out of all of open windows by clicking Apply or OK (or both) so that what you did is saved
12. Close the Group Policy and Group Policy Management Screen
13. *If you have more than 1 domain controller* Wait for Replication to kick off
14. Test

Again - I have the lsclient.exe executing via a script in another group policy. Depending on which one kicks off first, it may require 2 reboots. Or if you don't want to reboot, you can try to force the computer policies to re-execute (see the "GPUpdate" command).