Adding users as local admin 1

[N1ro]

Does anybody know if there is a way to make the domain user logging on to a PC a local admin automatically? I don't want to use Restricted groups to make domain users local admins...because that gives all users access to all pc's...I'd rather add each individual user as a local admin to their own pc as they're logging on. Any ideas how to do that?

Thanks
Mike

 

[hewissa]

Hey Mike,

Try using a logon script with the command line:

net localgroup "Administrators" "%username%" /ADD

Then assign a logoff script:

net localgroup "Administrators" "%username%" /DELETE

Now I haven't tried the %username% switch with the command so I don't know if it will work. You may need to specify the actual username. Which means a batch for each users...

Another approach, would be to create a domain local group. Call is adminlocal. create a batch file and assign it as a login script. In the batch use the:

net localgroup "administrators" /ADD "domain_name\adminlocal"

In doing that, a global group would be assigned to the local administrators group. You can then add/remove members of that group in one location - Active Directory. From what you are saying, any time the user logs on they will be members of the local admins, no matter what machine they logon onto. So why not create a global group assign them to the local admins and go from there.

Lastly you could create a vb script that pulls the current user and adds/removes from the local admin.

Hewissa

MCSE, CCNA, CIW

 

[N1ro]

I thought of the login script idea myself...but since the login script is running as the user...would it let them add themselves to the local admin group?

 

[hewissa]

Try using "cusrmgr.exe" from the Windows 2000 Server Resource Kit. You can run it from the computer you have it installed on and as long as you're logged in as a domain administrator, you can add users to any local group on the domain. To add domain user "user" to the "Power Users" group on a computer named "computer", you would type this at the command prompt:

cusrmgr.exe -u user -m \\computer -alg "Power Users"

To remove the user from the "Power Users" group afterwards, you'd type:

cusrmgr.exe -u user -m \\computer -dlg "Power Users"

http://www.tburke.net/info/reskittools/topics/cusrmgr_syntax.htm

http://support.microsoft.com/?kbid=272530

Hewissa

MCSE, CCNA, CIW

 

[hewissa]

I hit submit to soon.....

You are correct, the one with the script needs to be a Domain admin already...what are the chances of you hitting each machine? Slim to none I would imagaine. The cusrmgr.exe grants you some remote capability but for it to work as I had suggested earlier, you need to have the global group already assigned.


In going back to your original post "anybody know if there is a way to make the domain user logging on to a PC a local admin automatically" you pretty much andswered it yourself - "...script is running as the user...would it let them add themselves to the local admin group"...Nope.

You could apply the script to only Domain Admins and as they logon to machines the script is run. You could run MMC and connect to each computer and add the global group to the Admin local group. Or use cusrmgr.exe to add the users...

Hewissa

MCSE, CCNA, CIW