Rem: Authentication Problems with ADSI Provider

Your article "Rem: Adding the Currently Logged On User to the Administrators Group," May 2002, InstantDoc ID 24595, pertains to a problem I've been experiencing. I need a script that lets domain users add themselves to a local Administrators group. In theory, the script should let users perform this task because they have the correct username and password. However, the script that I wrote doesn't work. I can run the script successfully under a local or domain Administrator account, but the script fails when users run it. Do you know what the problem might be?

Microsoft has documented several authentication problems that occur when you use the Microsoft Active Directory Service Interfaces (ADSI) WinNT provider with the IADsOpenDSObject interface's OpenDSObject method. The most common problem occurs when the client has an active connection with the target domain controller (DC) under one set of credentials and a script tries to use OpenDSObject to establish another connection to the same DC under a different set of credentials. For more information about this problem, see the Microsoft article "User Authentication Issues with ADSI WinNT Provider" (http://support.microsoft.com /?kbid=218497). The article provides some workarounds. Alternatively, you can create a script that runs from a central workstation, connects to each client workstation, then adds the appropriate domain user to the local Administrators group.