Re: adding users using ad logon script?
- From: "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
- Date: Sun, 18 Sep 2005 20:23:31 -0400
Technically, it makes a difference what context the script runs under. A
logon script runs under the context of the user that logged on (in most
cases) so if that user is not a local administrator, then the script should
fail to add a user to the local administrators group. If it didn't that
would be a security problem of a much larger magnitude for a lot of people.
Elevation of privilege and all that.
At some point in the transaction, you must present credentials sufficient to
add a user to the local administrators group else it will fail.
Take a look at the documentation on restricted groups. I think you'll find
that's what you want to do. IIRC, there's an option to append vs. replace
members of the group in question. As the group/user requirements change you
can make adjustments via the restricted groups policy.
Al
"Esa" <Esa@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:84D51F2E-E81D-4A8A-B855-7A3962CAE111@xxxxxxxxxxxxxxxx
> Hi!
>
> I just thought make a logon script that would add users to admin group.
> Enable user loopback policy mode in computer configuration. Our computers
> are
> in OUs containing only computers so I would link the policy to those OUs.
>
> I was just wondering using such policy will it make difference who logs in
> and what is his group membership? Will it make any difference while using
> loopback policy?
>
> Yes, I was also thinking about resticted groups, but I was wondering how
> to
> add users to local admin group for all desktop computers. Could it be
> possible using GPMC from workstation? And what would happen then when we
> are
> not using those groups any more? We should add account into local admin
> group
> somehow after that..?
>
> Esa
>
>
>
>
>
>
>
> --
> -Esa
>
>
> "Al Mulnick" wrote:
>
>> Can't think why it would not be possible.
>> As for credentials, that would depend on your configuration and the user
>> account rights assigned.
>>
>> As for the deletion and re-adding, have you considered CAREFULLY using
>> the
>> restricted groups feature?
>>
>> Al
>>
>>
>> "Esa" <Esa@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:6A304A1E-6040-41C3-B0BF-0C1C77B1F09F@xxxxxxxxxxxxxxxx
>> > Hi!
>> >
>> > I would like to create a script that adds on certain domain user
>> > account
>> > into every single desktop pc´s local admin group. I would also like to
>> > copy
>> > one certain profile in every single computet into default user profile.
>> >
>> > That account I am going to copy into default user account was
>> > accidently
>> > deleted in AD, but the profile is still saved in host computer(we are
>> > using
>> > local profiles). If I have a look at the state of computer accounts in
>> > My
>> > computer->Advenced->profiles tab I see only account unknown sign.
>> >
>> > So would this be possible make such script? Using ad´s startup script
>> > and
>> > user loopback policy?
>> >
>> > Would that script work if a normal domain user would log in? Would
>> > credentials be high enough for adding something into local admin group
>> > ?
>> >
>> > Thanks,
>> >
>> > Esa
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > --
>> > -Esa
>>
>>
>>
.
- References:
- Re: adding users using ad logon script?
- From: Al Mulnick
- Re: adding users using ad logon script?
- From: Esa
- Re: adding users using ad logon script?
- Prev by Date: Re: Adding users to groups in a Multiple Domain Forest.
- Next by Date: Re: Need to report all disabled users and their OU
- Previous by thread: Re: adding users using ad logon script?
- Next by thread: changing domain admin passowrd
- Index(es):
Relevant Pages
|
