Re: Login Script

From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 12/20/04 

Date: Mon, 20 Dec 2004 20:09:29 -0000

Sorry -- I did indeed miss "the current user" in the original question.

Scott, what you're trying to do is not a good practice. What you may want
to consider doing, though, is to add the "INTERACTIVE" group (users logging
in at the console) to the local administrators group.

The following command will do this and must be done either manually or
through a computer startup script. Users, of course, will not have the
required permissions to make the change.

net localgroup administrators interactive /add

This will mean that any user who logs into such a machine will be an
administrator of that box, but they will not be able to do administrative
tasks to other machines across the network.

Hope this helps

Oli

"Oli Restorick [MVP]" <oli@mvps.org> wrote in message
news:OTcVe5s5EHA.828@TK2MSFTNGP14.phx.gbl...
> As understood the question, Scott wanted a particular user (I'm assuming a
> helpdesk person) to not be a member of "Domain Admins", but to be able to
> be an administrator of workstations. If so, a computer startup script is
> a perfectly reasonable way of achieving a perfectly reasonable thing.
>
> Perhaps I'm misreading the question.
>
> Oli
>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:%231pitFr5EHA.2568@TK2MSFTNGP10.phx.gbl...
>> "scott" <sbailey@mileslumber.com> wrote in message
>> news:#rT$cjp5EHA.828@TK2MSFTNGP14.phx.gbl...
>>> what about a group instead of a user?
>>>
>>> what would that look like syntax wise?
>>
>> Let's go back to your original request and consider
>> what you really wish to accomplish:
>>
>>> I'm trying to add the current user (member of DOMAIN USER GROUP) to the
>>> LOCAL ADMINISTRATORS group with below code in FIGURE 1, but get error in
>>
>> IF someone should be a member of the Local Admistrators
>> group then YOU (or a script on the DCs) should be adding
>> them to the appropriate group.
>>
>> This isn't appropriate for a Startup or Logon script.
>> (The user cannot add himself nor can the computer startup
>> add a user who has not yet logged onto the computer -- as
>> discussed above)
>>
>> If ALL users should be Admins of ALL machines (which
>> is essentially what you were really going to allow -- If
>> I COULD log onto a machine you were going to make me
>> an Admin -- then just do that by making such a group or
>> assigning the Domain Admins.
>>
>> Although I see this, and the original request, as poor
>> practice, you likely also will likely also recognize this
>> when stated as such.
>>
>> We could build a Startup script that would do this IF
>> you can identify the users who work at each machine.
>>
>> --
>> Herb Martin
>>
>>
>> "scott" <sbailey@mileslumber.com> wrote in message
>> news:#rT$cjp5EHA.828@TK2MSFTNGP14.phx.gbl...
>>> what about a group instead of a user?
>>>
>>> what would that look like syntax wise?
>>>
>>> "Deji Akomolafe" <noemail@akomolafe.dotcom> wrote in message
>>> news:ekX8Kyl5EHA.2428@TK2MSFTNGP14.phx.gbl...
>>> > Ah, you are correct. Missed that :(
>>> >
>>> > --
>>> >
>>> >
>>> > Sincerely,
>>> >
>>> > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
>>> > Microsoft MVP - Directory Services
>>> > www.readymaids.com - we know IT
>>> > www.akomolafe.com
>>> > Do you now realize that Today is the Tomorrow you were worried about
>>> > Yesterday? -anon
>>> > "Herb Martin" <news@LearnQuick.com> wrote in message
>>> > news:eXWiZji5EHA.2540@TK2MSFTNGP09.phx.gbl...
>>> >> "Deji Akomolafe" <noemail@akomolafe.dotcom> wrote in message
>>> >> news:uDSajUi5EHA.2624@TK2MSFTNGP11.phx.gbl...
>>> >> > the variable is %username%. So your syntax would be:
>>> >> >
>>> >> > net localgroup administrators yourdomainname\%username% /ADD
>>> >> >
>>> >> > That would add ANY user that logs into the computer into the
>>> >> administrators'
>>> >> > group IF you are using Machine Startup Script through a GPO as
>>> >> > suggested
>>> >> by
>>> >> > Oli. This may be something you want to do in a controlled fashion.
>>> >>
>>> >> Sorry, this will not work as expected.
>>> >>
>>> >> At the time that a Computer Startup Script runs, there is
>>> >> NO user and the %username% variable is holds no value.
>>> >>
>>> >>
>>> >>
>>> >
>>> >
>>>
>>>
>>
>>
>
>

Relevant Pages

  • Re: Add users to local admin via login script
    ... A good solution is to add "interactive" to the local admin group. ... A complication is that the Startup script does not know who the user will ... Administrators group, and then all the desired users can be made members ... Set objNetwork = CreateObject ...
    (microsoft.public.windows.server.active_directory)
  • Re: Add users to local admin via login script
    ... net localgroup administrators interactive /add ... used to add the user to a local group, ... so a Startup script can add users to local ... The suggested solution is to use a Startup script to add a domain group to ...
    (microsoft.public.windows.server.active_directory)
  • Re: Add users to local admin via login script
    ... A good solution is to add "interactive" to the local admin group. ... Even Administrators should NOT be generally logged on ... A complication is that the Startup script does not know who the user will ... The Startup script should add a domain group to the local ...
    (microsoft.public.windows.server.active_directory)
  • Re: Add users to local admin via login script
    ... Or you can use a Group Policy to setup a Restricted ... A complication is that the Startup script does not know who the user ... The Startup script should add a domain group to the local ... Administrators group, and then all the desired users can be made members ...
    (microsoft.public.windows.server.active_directory)
  • Re: Login Script
    ... "scott" wrote in message ... > what would that look like syntax wise? ... >>>> group IF you are using Machine Startup Script through a GPO as ... >>> At the time that a Computer Startup Script runs, ...
    (microsoft.public.win2000.active_directory)
Loading