Re: Login Script

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: scott (sbailey_at_mileslumber.com)
Date: 12/21/04 

Date: Tue, 21 Dec 2004 11:51:48 -0600

Where is the INTERACTIVE group located? I can't find it.

"Herb Martin" <news@LearnQuick.com> wrote in message
news:OrgfBhx5EHA.272@TK2MSFTNGP10.phx.gbl...
> "scott" <sbailey@mileslumber.com> wrote in message
> news:OhMPmLx5EHA.2624@TK2MSFTNGP11.phx.gbl...
>> If userA is a member of DOMAIN USERS and is a LOCAL ADMINISTRATOR to
> userA's
>> box, how can userA get access to other PCs on the network?
>>
>> I'm just trying to limit regular users to only access his own pc and just
>> certain network shared folders on a server. I do want them to be able to
> do
>> anything to their own pc.
>>
>
> But any user can walk up to any PC, logon, and
> become the Admin there, so you really have no
> effective limitation.
>
> Oli's idea at least REQUIRES them to physically
> logon (or TS etc) to the machine in question.
>
> --
> Herb Martin
>
>
>> i'm really getting confused. i've never heard of the INTERACTIVE group
>> before.
>>
>> if you can give more guidance, i'd appreciate you staying with me on
>> this.
>>
>>
>> "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
>> news:%23zNOS$s5EHA.2964@TK2MSFTNGP09.phx.gbl...
>> > Sorry -- I did indeed miss "the current user" in the original question.
>> >
>> > Scott, what you're trying to do is not a good practice. What you may
> want
>> > to consider doing, though, is to add the "INTERACTIVE" group (users
>> > logging in at the console) to the local administrators group.
>> >
>> > The following command will do this and must be done either manually or
>> > through a computer startup script. Users, of course, will not have the
>> > required permissions to make the change.
>> >
>> > net localgroup administrators interactive /add
>> >
>> > This will mean that any user who logs into such a machine will be an
>> > administrator of that box, but they will not be able to do
> administrative
>> > tasks to other machines across the network.
>> >
>> > Hope this helps
>> >
>> > Oli
>> >
>> > "Oli Restorick [MVP]" <oli@mvps.org> wrote in message
>> > news:OTcVe5s5EHA.828@TK2MSFTNGP14.phx.gbl...
>> >> As understood the question, Scott wanted a particular user (I'm
> assuming
>> >> a helpdesk person) to not be a member of "Domain Admins", but to be
> able
>> >> to be an administrator of workstations. If so, a computer startup
> script
>> >> is a perfectly reasonable way of achieving a perfectly reasonable
> thing.
>> >>
>> >> Perhaps I'm misreading the question.
>> >>
>> >> Oli
>> >>
>> >>
>> >> "Herb Martin" <news@LearnQuick.com> wrote in message
>> >> news:%231pitFr5EHA.2568@TK2MSFTNGP10.phx.gbl...
>> >>> "scott" <sbailey@mileslumber.com> wrote in message
>> >>> news:#rT$cjp5EHA.828@TK2MSFTNGP14.phx.gbl...
>> >>>> what about a group instead of a user?
>> >>>>
>> >>>> what would that look like syntax wise?
>> >>>
>> >>> Let's go back to your original request and consider
>> >>> what you really wish to accomplish:
>> >>>
>> >>>> I'm trying to add the current user (member of DOMAIN USER GROUP) to
> the
>> >>>> LOCAL ADMINISTRATORS group with below code in FIGURE 1, but get
>> >>>> error
>> >>>> in
>> >>>
>> >>> IF someone should be a member of the Local Admistrators
>> >>> group then YOU (or a script on the DCs) should be adding
>> >>> them to the appropriate group.
>> >>>
>> >>> This isn't appropriate for a Startup or Logon script.
>> >>> (The user cannot add himself nor can the computer startup
>> >>> add a user who has not yet logged onto the computer -- as
>> >>> discussed above)
>> >>>
>> >>> If ALL users should be Admins of ALL machines (which
>> >>> is essentially what you were really going to allow -- If
>> >>> I COULD log onto a machine you were going to make me
>> >>> an Admin -- then just do that by making such a group or
>> >>> assigning the Domain Admins.
>> >>>
>> >>> Although I see this, and the original request, as poor
>> >>> practice, you likely also will likely also recognize this
>> >>> when stated as such.
>> >>>
>> >>> We could build a Startup script that would do this IF
>> >>> you can identify the users who work at each machine.
>> >>>
>> >>> --
>> >>> Herb Martin
>> >>>
>> >>>
>> >>> "scott" <sbailey@mileslumber.com> wrote in message
>> >>> news:#rT$cjp5EHA.828@TK2MSFTNGP14.phx.gbl...
>> >>>> what about a group instead of a user?
>> >>>>
>> >>>> what would that look like syntax wise?
>> >>>>
>> >>>> "Deji Akomolafe" <noemail@akomolafe.dotcom> wrote in message
>> >>>> news:ekX8Kyl5EHA.2428@TK2MSFTNGP14.phx.gbl...
>> >>>> > Ah, you are correct. Missed that :(
>> >>>> >
>> >>>> > --
>> >>>> >
>> >>>> >
>> >>>> > Sincerely,
>> >>>> >
>> >>>> > Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
>> >>>> > Microsoft MVP - Directory Services
>> >>>> > www.readymaids.com - we know IT
>> >>>> > www.akomolafe.com
>> >>>> > Do you now realize that Today is the Tomorrow you were worried
> about
>> >>>> > Yesterday? -anon
>> >>>> > "Herb Martin" <news@LearnQuick.com> wrote in message
>> >>>> > news:eXWiZji5EHA.2540@TK2MSFTNGP09.phx.gbl...
>> >>>> >> "Deji Akomolafe" <noemail@akomolafe.dotcom> wrote in message
>> >>>> >> news:uDSajUi5EHA.2624@TK2MSFTNGP11.phx.gbl...
>> >>>> >> > the variable is %username%. So your syntax would be:
>> >>>> >> >
>> >>>> >> > net localgroup administrators yourdomainname\%username% /ADD
>> >>>> >> >
>> >>>> >> > That would add ANY user that logs into the computer into the
>> >>>> >> administrators'
>> >>>> >> > group IF you are using Machine Startup Script through a GPO as
>> >>>> >> > suggested
>> >>>> >> by
>> >>>> >> > Oli. This may be something you want to do in a controlled
> fashion.
>> >>>> >>
>> >>>> >> Sorry, this will not work as expected.
>> >>>> >>
>> >>>> >> At the time that a Computer Startup Script runs, there is
>> >>>> >> NO user and the %username% variable is holds no value.
>> >>>> >>
>> >>>> >>
>> >>>> >>
>> >>>> >
>> >>>> >
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >
>>
>>
>
>