Re: Logon Script

From: "Torgeir Bakken \(MVP\)" <Torgeir.Bakken-spam@xxxxxxxxx>
Date: Fri, 29 Jul 2005 10:49:16 +0200

Al Dunbar [MS-MVP] wrote:

If you want ALL of your users to have local admin privileges,
try adding the group called "authenticated users" to the
administrators group on all workstations.

Hi,

I would recommend to add "NT Authority\Interactive" in the local
Administrators group to let all domain users automatically be local
admins when they log on to a computer interactively.

This is more secure than adding "Authenticated Domain Users",
"Domain Users", "NT AUTHORITY\Authenticated Users" or any other
global security group because you avoid the issue with cross
network admin rights (remote access) that these groups introduces.

E.g. running this line in a computer startup script (with a GPO will
add it to the Administrators group (as long as the group is named
"Administrators" in your environment):

%SystemRoot%\system32\net.exe LOCALGROUP /ADD "Administrators"
 "NT Authority\Interactive"

(the command above will wrap over to lines in the newsgroup post, it
needs to be adjusted to be all on one line)


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
.

References:
- Logon Script
  - From: John Tiesi
- Re: Logon Script
  - From: John Tiesi
- Re: Logon Script
  - From: Al Dunbar [MS-MVP]

Prev by Date: Re: "wrong number of arguments or invalid property"
Next by Date: Re: Using yes no dialog to install software, need to return an error c
Previous by thread: Re: Logon Script
Next by thread: Complicated (2me) authentication problem
Index(es):
- Date
- Thread

Relevant Pages

Re: Remove Users From Local Admin Group
... > local Admin group from the login script. ... Both local and domain users will be removed ... ' account from the Administrators group will fail. ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
(microsoft.public.scripting.vbscript)
Re: Script to enumerating list of Local Admingroup member of all d
... How to Configure a Global Group to Be a Member of the Administrators Group on ... This is more secure than adding "Authenticated Domain users", ... avoid the issue with cross network admin rights ... torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway ...
(microsoft.public.windows.server.scripting)
Re: Authenticated Users
... local Administrators group to let all domain users automatically be local admins when they log on to a computer interactively. ... "Domain Users", "NT AUTHORITY\Authenticated Users" or any other global security group because you avoid the issue with cross network admin rights that these groups introduces. ... torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway ...
(microsoft.public.windows.server.scripting)
Re: Local admin group
... > How can I define a list of global security groups that are members of the ... > local admins on all clients. ... This is more secure than adding "Authenticated Domain users ", ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
(microsoft.public.windows.server.general)
Re: Local admin group
... > How can I define a list of global security groups that are members of the ... > local admins on all clients. ... This is more secure than adding "Authenticated Domain users ", ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
(microsoft.public.windows.server.setup)