I"m trying to validate if a user is a member of the local administrators group or a member of the local usr_dba group, if not I will like to add it.
This is the action script I have so far but its not working
if exist “Domain\user” of local group “administrators” or exist “Domain\user” of local group “usr_dba” then go to next step ELSE
wait net localgroup administrators Domain\user /add
wait net localgroup usr_dba Domain\user /add
I’d suggest you read up on the BigFix Action Guide, it provides a lot of examples on how to get started. You might also look through the examples at bigfix.me. I say this because the structure of your question implies you don’t yet understand the basic structure of an Action Script or of Relevance Substitution.
If you’re building this to only deal with one particular domain user who needs to be in the local groups, you can do something like
if {not exists sids whose (it as string as lowercase = "domain\username") of members of local group "administrators"}
waithidden net localgroup administrators domain\username /add
endif
if {not exists sids whose (it as string as lowercase = "domain\username") of members of local group "usr_dba"}
waithidden net localgroup usr_dba domain\username /add
endif
You’ll want to do error checking to ensure the “usr_dba” group does in fact exist on the client. I’ve also run into issues with the “net localgroup” command when adding members whose name is longer than 15 characters; so in general I build a VBScript that uses WMI to manipulate the local groups rather than the “net localgroup” command, but that may not be a problem for you.
You can get local group members with the simpler lookup
members of local group "administrators"
but I prefer to retrieve
sids of members of local group "administrators"
because I’m usually also interested in cases where a Domain User was a member of the local group, but the Domain User has since been deleted, leaving an unresolvable SID as a member of the local group. If I recall correctly the “members” default return string is empty in that case, while the “sids of members” returns a string name if possible or the SID component string (S-1-5-xxx) if the name is not resolvable.
Thank you so much JasonWalker for your help. I will test it out.