Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to make user local admin.

Status
Not open for further replies.
larsjuhl

larsjuhl

IS-IT--Management
Oct 24, 2001
88
0
0
DK
I would like make all users member of their local administrator group by default without having to do it manually... I dont care If all users are administrators of all workstations.

any suggestions how this can be done ?

appreciate any help

rgds,
Lars
 
Sort by date Sort by votes
you can use Restricted Groups in group policy, but this will allow all users administrative access to any computers you put in the affected OU, as opposed to just a single user to single computer ratio. Or you could assign a user based login script and include the line:

NET LOCALGROUP ADMINISTRATORS /ADD %USERNAME%
 
Upvote 0 Downvote
brontosaurus - I am trying to do the same here and tried you logon script but it fails with the "insufficient rights" message when I try to run it with a new user. Any ideas? Thanks.
 
Upvote 0 Downvote
If you use the login script you can use the runas command(on Windows 2000) or the su.exe from the res kit, however this will require the administrator account credentials to be entered in to the command string posing a security risk as this is in clear text. By running the command within an encrypted vbs file (then removing the file shortly after) will provide a minimal security level whilst condcting the task.

 
Upvote 0 Downvote
TopGun> that script will fail because a normal user doesn't have permissions to add users to the admin group.

Grouppolicy is the way to go
 
Upvote 0 Downvote
Thx,
Making a GP with Domain Users as "Resticted Group" will that make them Local Administrators?
is that really all? dont I have to give them special rights or anytning?
 
Upvote 0 Downvote
Actually, I just did the same thing. Here is the knowledge base article straight from Microsoft on how to accomplish this:

320065

--Roger
 
Upvote 0 Downvote
Here is my situation, if anyone can help that would be much appreciated:

1.) Joining people to a domain that now log into their local systems.

2.) Need their new domain account to be local admins on their system. Their account is to be the only local admin on their system other than the built in and domain admins of course.

3.) Have a staff that needs this done with a logon script, etc.

I have two scripts set up to run when the domain user account logs on to set them up as local admins.

The first logon script runs the "runas" command with a domain admin credicials and points to the second script to be run with those credicials.

The second has the "NET LOCALGROUP ADMINISTRATORS /ADD %USERNAME%" command.

The problem is that the %username% variable refers back to the domain admin and not to the user logging on I guess. I get the 'user is already a member of that group' message.

When I hard code in a test user such as 'NET LOCALGROUP ADMINISTRATORS /ADD domain\testuser" it works just fine. The problem with that obviously is that someone would have to change the 'domain\testuser' part for every new user that joins the domain. Is there a better way to do this? It seems the GPO method would be suited for a group of users to be local admins on a bunch of systems and doesn't help me in this case. Thanks much

TG
 
Upvote 0 Downvote
thanks for the link "porcellir" that did the trick I was looking for!

great

love this forum!

Lars
 
Upvote 0 Downvote
I found out the solution to my own issue above.. you need to throw a /env switch in the 'runas' script. This puts it in the current user's context and not the admin's. Thank you Top Gun :)

TG
 
Upvote 0 Downvote
HEy TopGun,
glad you could help your self :eek:)
can I see your "runas" script I wanna try what you are doing.. if its ok

rgds,
Lars
 
Upvote 0 Downvote
Here you go Lars, enjoy. The logon.bat script runs NET LOCALGROUP ADMINISTRATORS /ADD %USERNAME%

runas /env /user:domain\admin "\\dc\sysvol\domain.com\scripts\logon.bat"

TG
 
Upvote 0 Downvote
topgun
I have made the 2 scripts but it prompts me for the admin password I dont want that :eek:) and when I give the password I get ERROR 5 Access denied
have I misunderstood it all ?
 
Upvote 0 Downvote
Hi Lars,

I don't know what that error is that you are getting. The password is necessary, although there may well be a way to hard code the password in the logon script itself but I wouldn't go that way.

TG
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
75
hairlessupportmonkey
hairlessupportmonkey
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
80
ADB100
ADB100
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
144
DrB0b
DrB0b
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
130
goombawaho
goombawaho
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
92
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top