Re: Add users to local admin via login script
- From: "Oli Restorick [MVP]" <oli@xxxxxxxx>
- Date: Mon, 6 Feb 2006 22:19:42 -0000
Hi Richard
I don't know how you'd do this in the world of VBscript, but under the good
old command prompt, the following line will do it.
net localgroup administrators interactive /add
Cheers
Oli
"Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:Oym%23j7sKGHA.216@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
You are correct, a user cannot add themselves to any group. Also, when a
startup script runs, there is no user.
Logon scripts run with the permissions of the user. A logon script cannot
be
used to add the user to a local group, unless you use alternate
credentials,
which reveals the administrator password. Startup scripts run with System
permissions (on the computer), so a Startup script can add users to local
groups. However, there is no user when the Startup script runs. Also,
adding
individual domain users to local groups makes management difficult.
The suggested solution is to use a Startup script to add a domain group to
the local group. This only has to be done once per computer. Thereafter
you
can manage membership in the domain group and never have to touch the
computers again.
As noted, if you make everyone administrator on every computer, they can
remotely administer other computers. I agree that even domain
administrators
should not logon with administrative credentials unless they are doing
admin
work. Everyone in a network should logon with the minimum credentials
required.
I like the idea of making the implicit group Interactive a member of the
local Administrators group. I admit to not knowing how to bind to the
Interactive group, so I don't know how to add it to a local group.
--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
"Space Junk" <SpaceJunk@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E4105B99-A151-416E-9890-F5B1C0262300@xxxxxxxxxxxxxxxx
Also, how is the startup script going to add the user to the local admin
group, if that user does not have permission to add people to that group.
I have already tried running a batch using the %username% value and
trying
the runas.exe command tool, but that in turn adds the user account for
the
user that is authenticating to the runas.exe program.
"Herb Martin" wrote:
"Space Junk" <SpaceJunk@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C2918093-AC1E-47A7-A5F0-C68F24965DE8@xxxxxxxxxxxxxxxx
Is it possible to somehow add the user logging in to the local admin
group
of
tha box?
Sure. You can run a Startup script to do it.
Or you can use a Group Policy to setup a (local) Restricted
Group -- the trick to this on is to set up the GPO while using
the tools (GPEdit or GP Management) ON A WinXP box (or
Win2000 non-DC).
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- References:
- Re: Add users to local admin via login script
- From: Herb Martin
- Re: Add users to local admin via login script
- From: Richard Mueller
- Re: Add users to local admin via login script
- Prev by Date: Re: AD Issues? DNS Issues?
- Next by Date: Events 673, 675, 566
- Previous by thread: Re: Add users to local admin via login script
- Next by thread: Re: Add users to local admin via login script
- Index(es):
Relevant Pages
|
