eyeball Posted April 14, 2006 Share Posted April 14, 2006 Hi all,i want to add each user that logs on (in a domain) to the local administrators group on their machinei found i could do it with "net localgroup" but it requires that you have the right to add yourself to local admins and without actually being one its impossiblei could use a "runas" command in the login script but the password would be in plain text in the script does anybody have a way around this?thanks Link to comment Share on other sites More sharing options...
ButlerKevinD Posted April 15, 2006 Share Posted April 15, 2006 Well, I can't think of any automated way of doing this off hand, but why not just open your local computer management snapin and change from local to the remote pc in question, then add the individual users that way?? Or perhaps create a security group in yyour AD of those persons that are to have local admin access and propogate that through only those machines in your OU that contains the machine accounts (won't work on the default Computers OU). Link to comment Share on other sites More sharing options...
cluberti Posted April 15, 2006 Share Posted April 15, 2006 (edited) Run this vbscript in a MACHINE logon script configured in a GPO in AD:Set objWshNet = CreateObject("WScript.Network")' // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~' // Configure basic script variablesstrDomain = objWshNet.UserDomainstrComputer = objWshNet.ComputerNameSet objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")' // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~' // Configure to add a domain user to the Local Administrators GroupstrUser = "useraccounthere"Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")' // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~' // Configure to add a domain group to the Local Administrators Group'strUser = "domaingrouphere''Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",group")' // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~' // We actually add the user or group here, if not already a member of the local' // Administrators group:If Not objGroup.IsMember(objUser.ADsPath) ThenobjGroup.Add(objUser.ADsPath)End IfThis will add a domain user (or group) to the local Administrators group on the target PC when the PC starts up - since this runs as the SYSTEM account, rather than a non-admin user, it can add users to the local Administrators group when the machine is starting up, making that user (or group) a member of the local Administrators group before they log on.If you find that you have lots of mundane admin tasks like this, you should seriously consider learning vbscript (and ultimately higher-level programming languages, but at least vbscript).Good administrators are generally, as a rule, also good programmers . Edited April 15, 2006 by cluberti Link to comment Share on other sites More sharing options...
eyeball Posted April 15, 2006 Author Share Posted April 15, 2006 (edited) excellent cluberti! thanks a lot i am working on learning VB script honest! slowley but surely, that and revising for my 70-290, man theres a lot of stuff to learn but indeed scripting is the way to go, it makes the difference between an hours work and hours of work lolthanks againEDIT: iv just tried this with a virtual server and client and when the user logs on i get:line: 30char: 1error: general access denied errorcode:80070005source: active directorycan anyone tell me why please? Edited April 15, 2006 by eyeball Link to comment Share on other sites More sharing options...
cluberti Posted April 15, 2006 Share Posted April 15, 2006 Are you doing this as a USER logon script, or a MACHINE logon script? It won't work as a user, but works fine as a machine logon script:GPO > Computer Configuration > Windows Settings > Scripts > StartupAnd remember, this needs to be configured as a GPO on the OU with the COMPUTER accounts in it, not the USER accounts. Link to comment Share on other sites More sharing options...
eyeball Posted April 15, 2006 Author Share Posted April 15, 2006 (edited) sorry i was doing from active directory and setting this as the user logon script.ok ill try it from group policy thank you so much clubertiEDIT: iv been trying for the last hour to do this and im getting nowhere, the script doesnt run or throws an error out or in the event viewer i get an error saying that access to the script was denied even tho the user clearly has access.iv run this from the admin account on the machine and it works perfect, so i must be doing something wrong, can anyone help please? Edited April 15, 2006 by eyeball Link to comment Share on other sites More sharing options...
cluberti Posted April 15, 2006 Share Posted April 15, 2006 Remember, you're running this as a machine account - the machine accounts must have at least READ access to the share where the script is stored. Link to comment Share on other sites More sharing options...
eyeball Posted April 15, 2006 Author Share Posted April 15, 2006 this is really annoying me!! i have the machine account with the access it needs but when i boot up the client i get an error saying there is something wrong with line 15, but iv checked and no there isnt.iv also logged on as the administrator on the client and ran the script and its fine. this is driving me crazy iv spent like 2 hours on something as small as this, please help me! Link to comment Share on other sites More sharing options...
cluberti Posted April 16, 2006 Share Posted April 16, 2006 try using user@domain.tld instead of just user - honestly, I haven't had issues like this with the script in my 2K3 domain, so I'm not sure what else I can tell you.You could use the Restricted Groups in AD to accomplish this as well, and that had slipped my mind. If the above change doesn't work, you can always try using Restricted Groups in GPO to add the user/group to a local group as well. Link to comment Share on other sites More sharing options...
eyeball Posted April 16, 2006 Author Share Posted April 16, 2006 YES!!thank you Cluberti! thank you thank you.restricted groups worked perfectly Link to comment Share on other sites More sharing options...
ajaymjoshi Posted May 2, 2007 Share Posted May 2, 2007 I would like to only add the user who is currently logging on, to the local administrators group. The user is only identified during the user logon phase of startup scripts not during the computer startup phase.Multiple users logon to the same PC at all times. e.g. in a Firestation. Only that particular user should be in the local administrators group.(in addition to Domain Admins)My biggest problem is not knowing the username if you use what Cluberti is recommending.' // Configure to add a domain user to the Local Administrators GroupstrUser = "useraccounthere"The following script running during the user logon fails as the user does not have the permission to add him/herself to the local admin group. =========================blnUserinAdmGroup = FalseSet objNetwork = CreateObject("Wscript.Network")strComputer = objNetwork.ComputerNamestrUser = objNetwork.UserNameSet objGroup = GetObject("WinNT://" & strComputer & "/Administrators")For Each objUser in objGroup.Members If objUser.Name = "Domain Users" Then objGroup.Remove "WinNT://LAB/Domain Users" If objUser.Name = strUser Then blnUserinAdmGroup = TrueNextIf NOT (blnUserinAdmGroup) Then objGroup.Add "WinNT://LAB/" & strUser Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now