Re: Giving Accounts Local Computer Admin Privledge

---

• From: "Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 4 Jan 2006 12:07:26 -0600

---

Hi,

You can modify local group memberships in a startup script (via GPO). They
run with elevated privileges locally and with the privileges of the computer
object in the domain. Best is to create a domain group for this purpose,
then make the domain group a member of the local Administrators group. Then
you can manage membership on the domain without messing with the local
groups again. The Startup script can first check if the domain group has
already been added. The Startup script must use the WinNT provider. I have
used code similar to:

Dim strDomainGroup, objDomainGroup, objNetwork
Dim strComputer, objLocalGroup

' Specify AdsPath of domain group to be added to
' local Administrators group.
strDomainGroup = "WinNT://MyDomain/AdmGroup,group"

Set objDomainGroup = GetObject(strDomainGroup)

' Retrieve local computer NetBIOS name.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

' Bind to local Administrators group.
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")

' Check if domain group already a member.
If Not objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
' Add domain group to local group.
objLocalGroup.Add(objDomainGroup.AdsPath)
End If

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

"Neil Ruston" <NeilRuston@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CD0775F5-B205-4D4A-A46A-576EB3EBE99D@xxxxxxxxxxxxxxxx
> Simply add those accounts to the local Administrators group, on the
> relevant
> machine(s).
>
> Restricted Groups (via GPO) may also be worth investigating.
>
> hth,
> neil
>
>
>
>
>
> "Jeremy Dillinger" wrote:
>
>> Is there a way I can give accounts in Active Directory Local Computer
>> Admin
>> Privledge without giving them domain admin privledge? How can I go about
>> doing this? Thanks!
>>
>> Jeremy
>>
>>
>>


.

---

• References:
  • Giving Accounts Local Computer Admin Privledge
    • From: Jeremy Dillinger

• Prev by Date: Re: Enumerate User Attributes
• Next by Date: Re: No Network Connection
• Previous by thread: Giving Accounts Local Computer Admin Privledge
• Next by thread: Re: LDAP [WildPacket]
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Loginscript is lacking credentials......... ... Startup scripts run with System permissions on the local machine and ... Startup script configured by a group policy to add a domain group to the ... not already a member, use the Add method to add the domain group to the ... (microsoft.public.windows.server.active_directory) Re: Removing domain local groups from Wind XP local administrato ... > member of the local admin groups on the Win XP anymore because ... > to add to the startup script that will automate this, ... Use the restricted groups feature in a GPO using the members option. ... the local administrators group. ... (microsoft.public.win2000.active_directory) Re: Difference between a domain group and a local group ... you could create a domain group. ... the local group on each computer. ... member of the local administrators group. ... (microsoft.public.scripting.vbscript) Re: Adding an Active Directory group to a local group ... > Has anyone a script already prepared? ... ' local Administrators group. ... ' Check if domain group already a member. ... (microsoft.public.scripting.wsh) Re: Adding Domain Admins to local computer administrator groups ... done via a script and if so can I get a copy of the script please. ... ' Bind to local Administrators group. ... ' Check if domain group already a member. ... Assuming all client are W2k or above, you can do this in a Startup script, ... (microsoft.public.windows.server.scripting)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2006-01