arden Posted October 3, 2005 Posted October 3, 2005 Hi,My Unattended XP install works fine, and it add's me to my domain alright, but I would like to add 2 users to the process also as administrators on the local machine. These 2 users will be the same all the time, (Domain Administrators). As the domain administrator password is already giver inorder to join the computer to the domain I shouldn't think it would be that hard to add 2 users, but I'm unsure as to where to start. Any help would be great!Regards,arden
RogueSpear Posted October 3, 2005 Posted October 3, 2005 You don't add domain users to a computer, you add them to the domain itself. If you want to "add" a domain user to the computer, just log the user in and let the profile create itself from the Default User profile.If you add a user to the computer, you are adding a local user.
nmX.Memnoch Posted October 3, 2005 Posted October 3, 2005 I have something similar to the following in a CMD file that runs as a startup script for all of my workstations.:: Add Domain Users to Local Administrators GroupNET LOCALGROUP Administrators DOMAIN\user1 /ADDNET LOCALGROUP Administrators DOMAIN\user2 /ADD:: Add Domain Groups to Local Administrators GroupNET LOCALGROUP Administrators DOMAIN\group1 /ADDNET LOCALGROUP Administrators DOMAIN\group2 /ADDThis will automatically add them. It'll also automatically add them back should they get accidentally removed from the group.
arden Posted October 3, 2005 Author Posted October 3, 2005 Hi, thanks for the info, I'll give it a go.RogueSpearI ment adding the users domain account to the local machine so they will be administrators of that machine, otherwise they can't log into the computer if there account is not set up on that computer.arden
RogueSpear Posted October 3, 2005 Posted October 3, 2005 RogueSpearI ment adding the users domain account to the local machine so they will be administrators of that machine, otherwise they can't log into the computer if there account is not set up on that computer.<{POST_SNAPBACK}> oops.. lol, now that I read it again it does seem a little more obvious that's what you meant. Sorry bout that.
InTheWayBoy Posted October 3, 2005 Posted October 3, 2005 I ment adding the users domain account to the local machine so they will be administrators of that machine, otherwise they can't log into the computer if there account is not set up on that computer.<{POST_SNAPBACK}>Eh? You shouldn't have to give them local admin rights to login...But, if you want to, you might wanna look at Restricted Groups...it's a Group Policy section that allows you to add or remove users from local security groups. You could use that to add your domain users to the local admin group of all your machines...and since it's Group Policy, it should apply to all clients, not just the ones you've installed with your Unattended.
RogueSpear Posted October 3, 2005 Posted October 3, 2005 Restricted Groups is really a great feature. On the one hand I have the corporate bosses who think if they aren't "Administrators" that someone from IT is usurping their authority, so I use it on an OU dedicated to them to keep them as admins on ONLY their computers. If they log in anywhere else, which is infrequent, they are normal users like everyone else.On the flip side, there are those who know the Administrative password (not my policy, I'm not the CEO) and they have a habit of making themselves admin on their own machine. Well if they do that, with about a half hour, Restricted Users boots them right down to a normal user again. That's been a life saver on a few ocassions.
arden Posted October 3, 2005 Author Posted October 3, 2005 Eh? You shouldn't have to give them local admin rights to login...I don't have to but its the way we set up our users computers, it's all politics as you can guess with the management and IS, I'm just trying to make things a little easier for myself by making the unattended CD.There are many reasons for not using different groups etc, and this way we find the best for our needs.Regards,arden
nmX.Memnoch Posted October 3, 2005 Posted October 3, 2005 But, if you want to, you might wanna look at Restricted Groups...it's a Group Policy section that allows you to add or remove users from local security groups. You could use that to add your domain users to the local admin group of all your machines...and since it's Group Policy, it should apply to all clients, not just the ones you've installed with your Unattended.This is a feature that I WISH I could use. I work on an Air Force installation and they don't give unit FSA's (Functional Systems Administrators) domain admin privs...and we don't get access to edit or own OU GPO's either. We're lucky to even be able to unlock our users' accounts at this point. For this reason I sometimes forget about other settings available for use via GPO.We do have full admin privs on the servers/workstations we're responsible for though. What I did was used gpedit.msc on one workstation to configure the settings I want...and then copy the .pol files (along with the gpt.ini) during unattended setup. Works like a charm and we automatically get added to the local admin group when the machine is joined to the domain.
RogueSpear Posted October 3, 2005 Posted October 3, 2005 You may not have permissions to edit your own OU's, but do you have permission to create a child OU? Just a thought.. it could be a way around.
nmX.Memnoch Posted October 3, 2005 Posted October 3, 2005 Nope. No such permissions. They use a tool called Active Directory Resource Assistance from NetIQ to granularize the permissions. We can't even add our own user or computer accounts. We can manage/delete existing accounts...but not create them.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now