Jump to content

add users to local administrators group?

eyeball

By eyeball
in Windows 2000/2003/NT4

 Share

Recommended Posts

eyeball

eyeball

Posted
Posted

Hi all,

i want to add each user that logs on (in a domain) to the local administrators group on their machine

i found i could do it with "net localgroup" but it requires that you have the right to add yourself to local admins and without actually being one its impossible

i could use a "runas" command in the login script but the password would be in plain text in the script

does anybody have a way around this?

thanks

Link to comment
Share on other sites

ButlerKevinD

ButlerKevinD

Posted
Posted

Well, I can't think of any automated way of doing this off hand, but why not just open your local computer management snapin and change from local to the remote pc in question, then add the individual users that way?? Or perhaps create a security group in yyour AD of those persons that are to have local admin access and propogate that through only those machines in your OU that contains the machine accounts (won't work on the default Computers OU).

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted (edited)

Run this vbscript in a MACHINE logon script configured in a GPO in AD:

Set objWshNet = CreateObject("WScript.Network")

'  // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'  // Configure basic script variables

strDomain = objWshNet.UserDomain
strComputer = objWshNet.ComputerName
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")


'  // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'  // Configure to add a domain user to the Local Administrators Group

strUser = "useraccounthere"
Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")


'  // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'  // Configure to add a domain group to the Local Administrators Group

'strUser = "domaingrouphere'
'Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",group")


'  // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'  // We actually add the user or group here, if not already a member of the local
'  // Administrators group:

If Not objGroup.IsMember(objUser.ADsPath) Then
objGroup.Add(objUser.ADsPath)
End If

This will add a domain user (or group) to the local Administrators group on the target PC when the PC starts up - since this runs as the SYSTEM account, rather than a non-admin user, it can add users to the local Administrators group when the machine is starting up, making that user (or group) a member of the local Administrators group before they log on.

If you find that you have lots of mundane admin tasks like this, you should seriously consider learning vbscript (and ultimately higher-level programming languages, but at least vbscript).

Good administrators are generally, as a rule, also good programmers :).

Edited by cluberti
Link to comment
Share on other sites
eyeball

eyeball

Posted
  • Author
Posted (edited)

excellent cluberti! :thumbup

thanks a lot :)

i am working on learning VB script honest! slowley but surely, that and revising for my 70-290, man theres a lot of stuff to learn :wacko:

but indeed scripting is the way to go, it makes the difference between an hours work and hours of work :lol: lol

thanks again

EDIT: iv just tried this with a virtual server and client and when the user logs on i get:

line: 30

char: 1

error: general access denied error

code:80070005

source: active directory

can anyone tell me why please?

Edited by eyeball
Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted

Are you doing this as a USER logon script, or a MACHINE logon script? It won't work as a user, but works fine as a machine logon script:

GPO > Computer Configuration > Windows Settings > Scripts > Startup

And remember, this needs to be configured as a GPO on the OU with the COMPUTER accounts in it, not the USER accounts.

Link to comment
Share on other sites
eyeball

eyeball

Posted
  • Author
Posted (edited)

sorry i was doing from active directory and setting this as the user logon script.

ok ill try it from group policy :)

thank you so much cluberti

EDIT: iv been trying for the last hour to do this and im getting nowhere, the script doesnt run or throws an error out or in the event viewer i get an error saying that access to the script was denied even tho the user clearly has access.

iv run this from the admin account on the machine and it works perfect, so i must be doing something wrong, can anyone help please?

Edited by eyeball
Link to comment
Share on other sites
eyeball

eyeball

Posted
  • Author
Posted

this is really annoying me!! i have the machine account with the access it needs but when i boot up the client i get an error saying there is something wrong with line 15, but iv checked and no there isnt.

iv also logged on as the administrator on the client and ran the script and its fine. this is driving me crazy iv spent like 2 hours on something as small as this, please help me! :)

Link to comment
Share on other sites
cluberti

cluberti

Posted
Posted

try using user@domain.tld instead of just user - honestly, I haven't had issues like this with the script in my 2K3 domain, so I'm not sure what else I can tell you.

You could use the Restricted Groups in AD to accomplish this as well, and that had slipped my mind. If the above change doesn't work, you can always try using Restricted Groups in GPO to add the user/group to a local group as well.

Link to comment
Share on other sites
  • 1 year later...
ajaymjoshi

ajaymjoshi

Posted
Posted

I would like to only add the user who is currently logging on, to the local administrators group. The user is only identified during the user logon phase of startup scripts not during the computer startup phase.

Multiple users logon to the same PC at all times. e.g. in a Firestation. Only that particular user should be in the local administrators group.(in addition to Domain Admins)

My biggest problem is not knowing the username if you use what Cluberti is recommending.

' // Configure to add a domain user to the Local Administrators Group

strUser = "useraccounthere"

The following script running during the user logon fails as the user does not have the permission to add him/herself to the local admin group.

=========================

blnUserinAdmGroup = False

Set objNetwork = CreateObject("Wscript.Network")

strComputer = objNetwork.ComputerName

strUser = objNetwork.UserName

Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")

For Each objUser in objGroup.Members

If objUser.Name = "Domain Users" Then objGroup.Remove "WinNT://LAB/Domain Users"

If objUser.Name = strUser Then blnUserinAdmGroup = True

Next

If NOT (blnUserinAdmGroup) Then objGroup.Add "WinNT://LAB/" & strUser

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...