Re: Use the "Managed By" field in AD to set as local Admin

Giganews Newsgroups
Subject: Re: Use the "Managed By" field in AD to set as local Admin
Posted by:  Richard Mueller [MVP] (
Date: Tue, 12 May 2009

"ErikW" <Eri…> wrote in message
> Hi,
> How can i use the "managed by" field in AD to set the user entered there
> as
> local admin on the xp client. We are currently doing it now on our "old"
> Domain but no one knows how it was done. Appreciate any help on this
> issue.

Assuming you mean computer objects, I guess you could code a script to read
the managedBy attribute, then add that user to the local Administrators
group (assuming you want that user to be admin on only that computer). For
one computer a VBScript program that runs on the computer could be similar
to (not tested):
Option Explicit

Dim objSysInfo, strComputerDN, objComputer, strManagerDN, objAdmGroup
Dim objNetwork, strComputer, objManager

Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

Set objSysInfo = CreateObject("ADSystemInfo")
strComputerDN = objSysInfo.ComputerName

Set objComputer = GetObject("LDAP://" & strComputerDN)
strManagerDN = objComputer.managedBy & ""
If (strManagerDN <> "") Then
    Set objManager = GetObject("LDAP://" & strManagerDN)
    Set objAdmGroup = GetObject("WinNT://" & strComputer &
    If (objAdmGroup.IsMember(objManager.AdsPath) = False) Then
    End If
End If
I suppose you could use ADO in a VBScript program to retrieve the DN of all
computer objects in the domain, then check that the user object referenced
by the managedBy attribute is a member of the local Administrators group on
each computer. This could be done once in bulk if all computers are
authenticated to the domain. Otherwise, a logon or startup script would be
alternatives, although you then have no control over when the update
happens, you should code the script to run once, and most users would lack
permissions to add members to the local Administrators group. It would be
best to do this yourself remotely as a member of Domain Admins.

If a script using ADO to handle this for all computers in bulk interests
you, reply for more. Or, figure it out yourself using the information at
this link:

The ADO query would retrieve the values of the distinguishedName,
sAMAccountName, and managedBy attributes of all computers where managedBy is
not missing. Then for each row in the resulting recordset, the script would
bind to the local Administrators group on the computer, similar to above.
The value of the sAMAccountName attribute of computer objects is the NetBIOS
name of the computer with a trailing "$" appended to the end. You would
strip off the trailing "$" to get the NetBIOS name (strComputer in the code
snippet above).

Richard Mueller
MVP Directory Services
Hilltop Lab -



In response to

Use the "Managed By" field in AD to set as local Admin posted by ErikW on Tue, 12 May 2009