Jump to content

Recommended Posts

Posted

Hi,

My Unattended XP install works fine, and it add's me to my domain alright, but I would like to add 2 users to the process also as administrators on the local machine.

These 2 users will be the same all the time, (Domain Administrators). As the domain administrator password is already giver inorder to join the computer to the domain I shouldn't think it would be that hard to add 2 users, but I'm unsure as to where to start. Any help would be great!

Regards,

arden


Posted

You don't add domain users to a computer, you add them to the domain itself. If you want to "add" a domain user to the computer, just log the user in and let the profile create itself from the Default User profile.

If you add a user to the computer, you are adding a local user.

Posted

I have something similar to the following in a CMD file that runs as a startup script for all of my workstations.

:: Add Domain Users to Local Administrators Group
NET LOCALGROUP Administrators DOMAIN\user1 /ADD
NET LOCALGROUP Administrators DOMAIN\user2 /ADD

:: Add Domain Groups to Local Administrators Group
NET LOCALGROUP Administrators DOMAIN\group1 /ADD
NET LOCALGROUP Administrators DOMAIN\group2 /ADD

This will automatically add them. It'll also automatically add them back should they get accidentally removed from the group.

Posted

Hi, thanks for the info, I'll give it a go.

RogueSpear

I ment adding the users domain account to the local machine so they will be administrators of that machine, otherwise they can't log into the computer if there account is not set up on that computer.

arden

Posted
RogueSpear

I ment adding the users domain account to the local machine so they will be administrators of that machine, otherwise they can't log into the computer if there account is not set up on that computer.

:blushing: oops.. lol, now that I read it again it does seem a little more obvious that's what you meant. Sorry bout that.

Posted
I ment adding the users domain account to the local machine so they will be administrators of that machine, otherwise they can't log into the computer if there account is not set up on that computer.

Eh? You shouldn't have to give them local admin rights to login...

But, if you want to, you might wanna look at Restricted Groups...it's a Group Policy section that allows you to add or remove users from local security groups. You could use that to add your domain users to the local admin group of all your machines...and since it's Group Policy, it should apply to all clients, not just the ones you've installed with your Unattended.

Posted

Restricted Groups is really a great feature. On the one hand I have the corporate bosses who think if they aren't "Administrators" that someone from IT is usurping their authority, so I use it on an OU dedicated to them to keep them as admins on ONLY their computers. If they log in anywhere else, which is infrequent, they are normal users like everyone else.

On the flip side, there are those who know the Administrative password (not my policy, I'm not the CEO) and they have a habit of making themselves admin on their own machine. Well if they do that, with about a half hour, Restricted Users boots them right down to a normal user again. That's been a life saver on a few ocassions.

Posted
Eh? You shouldn't have to give them local admin rights to login...

I don't have to but its the way we set up our users computers, it's all politics as you can guess with the management and IS, I'm just trying to make things a little easier for myself by making the unattended CD.

There are many reasons for not using different groups etc, and this way we find the best for our needs.

Regards,

arden

Posted
But, if you want to, you might wanna look at Restricted Groups...it's a Group Policy section that allows you to add or remove users from local security groups. You could use that to add your domain users to the local admin group of all your machines...and since it's Group Policy, it should apply to all clients, not just the ones you've installed with your Unattended.

This is a feature that I WISH I could use. I work on an Air Force installation and they don't give unit FSA's (Functional Systems Administrators) domain admin privs...and we don't get access to edit or own OU GPO's either. We're lucky to even be able to unlock our users' accounts at this point. For this reason I sometimes forget about other settings available for use via GPO.

We do have full admin privs on the servers/workstations we're responsible for though. What I did was used gpedit.msc on one workstation to configure the settings I want...and then copy the .pol files (along with the gpt.ini) during unattended setup. Works like a charm and we automatically get added to the local admin group when the machine is joined to the domain.

Posted

You may not have permissions to edit your own OU's, but do you have permission to create a child OU? Just a thought.. it could be a way around.

Posted

Nope. No such permissions. They use a tool called Active Directory Resource Assistance from NetIQ to granularize the permissions. We can't even add our own user or computer accounts. We can manage/delete existing accounts...but not create them.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...