Re: Group Policy Question
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 7 Sep 2007 08:26:49 -0500
"Florian Frommherz [MVP]" <florian@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:e5R58HS8HHA.1416@xxxxxxxxxxxxxxxxxxxxxxx
Howdie!
Don schrieb:
I have around a thousand pc's which are already in production, but not
members of our AD domain. I plan on adding them by pushing a script
using the netdom utility. My problem is we have several applications
which require the users to be local admins on the pc's (bad I know). Is
there a way via a group policy, or anything else for that matter, which
will add the users to the local administrator group the first time they
log on. My alternative is to add the domain users group from the netdom
script, but I really want to restrict it to individual users.
There's nothing for exactly what you want. You will have to script it
somehow that people get added to the local admins as soon as they log in.
If that doesn't work, and before you start adding them with a net* script,
have a look at restricted groups:
http://www.frickelsoft.net/blog/?p=13
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Also, users cannot add themselves to the local group, so it won't work in a
logon script (unless you hard code credentials in the script which is
dangerous). If you want users to only be admin on one computer each, you
should be able to do it remotely yourself with a script. To do it in bulk
you could read computer names and corresponding user names from a text file.
Of course, this would be after the computers are joined to the domain. A
VBScript program to add one user to the local Administrators group on one
computer would be:
==========
strComputer = "MyComputer"
strUser = "JimSmith"
strDomain = "MyDomain"
' Bind to Administrators group on the computer.
Set objLocalGroup = GetObject("WinNT://" & strComputer &
"/Administrators,group")
' Bind to domain user object.
Set objDomainUser = GetObject("WinNT://" & strDomain & "/" & strUser &
",user")
' Check if user already a member.
If (objLocalGroup.IsMember(objDomainUser.AdsPath) = False) Then
' Add the user to the group.
objLocalGroup.Add(objDomainUser.AdsPath)
End If
=========
As long as the computer is joined to the domain, you can run this remotely,
assuming you are a member of the "Domain Admins" group and the "Domain
Admins" group is a member of the local Administrators group (which is true
for all computers when they are joined to the domain). It would be easy to
read names from a text file and do the above for many computers/users in
bulk.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
.
- References:
- Group Policy Question
- From: Don
- Re: Group Policy Question
- From: Florian Frommherz [MVP]
- Group Policy Question
- Prev by Date: Re: Group Policy Question
- Next by Date: AD Secure folder but not files
- Previous by thread: Re: Group Policy Question
- Next by thread: AD Secure folder but not files
- Index(es):
Relevant Pages
|
