Re: Add users to local admin via login script
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Sat, 4 Feb 2006 07:00:09 -0600
"Oli Restorick [MVP]" <oli@xxxxxxxx> wrote in message
news:e4se%23nYKGHA.3856@xxxxxxxxxxxxxxxxxxxxxxx
It's worth noting that by adding the "domain users" group to the local
admin group on every machine, you allow users to have fun remotely
administering and running code on each other's machines.
A good solution is to add "interactive" to the local admin group. That
way, locally logged on users get admin right, but other users on the
network do not.
From the command prompt:
net localgroup administrators interactive /add
BTW: We also should mention to Space Junk that this is
a really bad policy.
Even Administrators should NOT be generally logged on
with those credentials, e.g., any virus or trojan picked up
by that user will be an "admin".
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Regards
Oli
"Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23Hfk%23VTKGHA.4044@xxxxxxxxxxxxxxxxxxxxxxx
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:eKOpE6QKGHA.2992@xxxxxxxxxxxxxxxxxxxxxxx
"Space Junk" <SpaceJunk@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in messageHi,
news:C2918093-AC1E-47A7-A5F0-C68F24965DE8@xxxxxxxxxxxxxxxx
Is it possible to somehow add the user logging in to the local admin
group of
tha box?
Sure. You can run a Startup script to do it.
Or you can use a Group Policy to setup a (local) Restricted
Group -- the trick to this on is to set up the GPO while using
the tools (GPEdit or GP Management) ON A WinXP box (or
Win2000 non-DC).
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
A complication is that the Startup script does not know who the user will
be. The Startup script should add a domain group to the local
Administrators group, and then all the desired users can be made members
of this domain group. You can use the group "Domain Users" if you want
everyone included. Note that a normal user cannot add themselves to any
group, so a logon script would never work. A Startup script runs with
System privileges so it can add users to local groups. A sample VBScript
Startup script follows, where I add the domain group "MyGroup" to the
local Administrators group:
====================
Option Explicit
Dim strDomain, objNetwork, strComputer
Dim objLocalGroup, objDomainGroup
' Specify the NetBIOS name of the domain.
strDomain = "MyDomain"
' Retrieve NetBIOS name of local computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
' Bind to local Administrators group.
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")
' Bind to domain group.
Set objDomainGroup = GetObject("WinNT://" & strDomain & "/MyGroup,group")
' Check if the domain group is already a member of the local group.
If Not objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
' Add the domain group to the local group.
objLocalGroup.Add(objDomainGroup.AdsPath)
End If
' Clean up.
Set objNetwork = Nothing
Set objLocalGroup = Nothing
Set objDomainGroup = Nothing
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
.
- Follow-Ups:
- Re: Add users to local admin via login script
- From: Space Junk
- Re: Add users to local admin via login script
- From: Oli Restorick [MVP]
- Re: Add users to local admin via login script
- References:
- Re: Add users to local admin via login script
- From: Herb Martin
- Re: Add users to local admin via login script
- From: Richard Mueller
- Re: Add users to local admin via login script
- From: Oli Restorick [MVP]
- Re: Add users to local admin via login script
- Prev by Date: Re: Add users to local admin via login script
- Next by Date: Re: Computer-Assigned Programs Cannot Be Deployed
- Previous by thread: Re: Add users to local admin via login script
- Next by thread: Re: Add users to local admin via login script
- Index(es):
Relevant Pages
|
