NET LOCALGROUP and NET GROUP Commands

[Asin]

I figured that this fits in the Unattended section of the forums more so than the non-Unattended section since I plan on using login scripts to carry out my goal so that it will be quick and painless.

My goal is to create a group with appropriate permissions in a domain environment and add this group (call it DOMAIN\Admins) to the local Administrators group on the local machine. Basically, this gives anyone in DOMAIN\Admins roaming local administrative privileges on the domain.

In addition, I would like to add the user that uses that computer into the local Administrators group. But that's pretty much the same as above.

In the end, what I want to do is allow for users A, B, and C to all have the ability to create and delete computer accounts in the domain, but to restrict user C from having roaming local administrative capabilities. That is, if user C does not log in to his computer, he will not have administrative privileges.

I am aware of the implications of giving users full administrative privileges on their machines, but that is not what I am asking here. There are other measures in place to prevent anything that should not be allowed already.

The commands NET LOCALGROUP and NET GROUP are confusing me. I do not even know if they are useful for what I am trying to do. At the moment, the local Administrators group does not have DOMAIN\Admins. This is what I plan on aiming for first through a login script making the transition very quick.

Any help is greatly appreciated.

[Doc Symbiosis]

I just do it this way to make the MyDomain-user Myadmin local administrator:

net localgroup /add administrators Mydomain\Myadmin.

But I'm not quite sure about the need of a password, cause I do a few things with a special domain account ( Synchronising time, eventually move the computer into the domain.), where I enter the password for.

[RogueSpear]

From the sounds of it, I think the easiest way to go about this would be to take the user in question and add him to the Domain Admin group, then in his user record restrict the workstations he can log into to only the one computer. This of course would make it so he can only log into one and only one computer, but off the top of my head I don't really see how you could accomplish exactly what you're looking for.

You could always create a second account for the user to log in at other workstations.

[Asin]

The local Administrator account always exists and this person would always have access to it.

For some reason, the IT Manager has decided that roaming Administrator privileges using the domain user account for that person should not be granted despite the fact that that person already knows the local Administrator password for all the computers.

Thank you Doc Symbiosis. I wasn't aware that you could use the command that way. The online documentation from Microsoft wasn't all too helpful. The examples didn't show anything like that. Any use of the /add switch always referenced created a new local group on the local machine.

[Asin]

I haven't had a chance to play around with this and I think that it would be quicker just to ask.

If I use the command

net localgroup /add Administrators DOMAIN\Admins

Will this use the currently logged in user's credentials to authenticate? That is, if I am logged into my account that has access to ActiveDirectory in several Organizational Units and local administrative privileges on the local machine, I can clearly perform this command without any trouble.

If I have just local administrative privileges but no access to ActiveDirectory or any Domain administration access whatsoever, am I still able to run this command and have the result that I want? I have a feeling that the Check Name using the GUI would fail, but would this work from the command line? This theoretical user would be logged into the domain under a regular domain user account.

Edited February 7, 2006 by Asin