If you plan to rebuild domain controllers (DCs) from scratch or migrate from Windows NT 4.0 SAM domains to Windows Server 2003 Active Directory (AD) domains, you can easily set group permissions by creating local groups, setting their permissions, then placing your global groups inside the local groups. (Global groups can go into local groups but not vice versa.) As soon as you add the global groups to the local groups, the global groups inherit the appropriate permission set.
However, creating local groups from the GUI is clumsy, time-consuming, and prone to typographical errors. So, I decided to automate the group creation process. I first looked into using the Net Localgroup command, which lets you create local groups from the command line rather than the GUI. However, although this command works well for creating groups on one local computer, it's not too useful for automating group creation on multiple remote computers. In addition, you can't create group or user accounts before adding them to the new local group. Rather than try to work around the Net Localgroup command's limitations, I decided to write a script.
The result is NewLocalGroup.vbs, a fully commented script that you can download from the Windows Scripting Solutions Web site. Go to http://www.winnetmag.com/windowsscripting, enter InstantDoc ID 41833 in the InstantDoc ID box, then click Download the Code. You can run this script on computers running any NT-based OS (NT 4.0 through Windows 2003) with Active Directory Service Interfaces (ADSI), Windows Script Host (WSH) 5.6, and Windows Management Instrumentation (WMI) installed. Remote computers have the same requirements.
NewLocalGroup.vbs performs the following tasks:
- connects to the target computer
- enumerates the local groups to see whether a group with that name already exists
- creates the local group
- adds the global group to the new local group
- reports the results
However, before the script can perform these tasks, it needs certain information.