Re: Loginscript is lacking credentials.........

You could use the restricted user group gpo setting


computer configuration \ windows settings \ restricted groups

group = your group to be made local admins
member of = BUILTIN\Administrators



http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx


There is absolutely nothing that has to be done on the client side.

Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.



--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Patrik_L" <PatrikL@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5C573B66-1095-46CC-B787-7AF8D18D8430@xxxxxxxxxxxxxxxx
Hi
In my loginscript, that I execute via GPO, I have code that adds a certain
domain group (admin group) to the local administrators group of the
underlying computer.

Now I have come to realize that, unless the user who is loggin on to the
machine is a member of the local administrators group him/herself, this
does
not work.
Hence, it appears that the login script is executed with the same
permissions as the user logging in!?

I was under the impressions that all GPO's ran with top admin credentials.
If this is not the case, how do I make the script run with admin
credetials ?

Thanks
Patrik



.

Relevant Pages

  • Re: Remote Desktop rights to Member Servers via GPO
    ... of this group and adds your domain group via the net localgroup /add ... My understanding of Restricted groups is that the GPO will ... SP4 or better Active Directory Domain + Member servers, ...
    (microsoft.public.windows.server.active_directory)
  • help with use of restricted groups and individual rights assigment
    ... accounts to admin group on the workstations. ... How do i continue using GPO restricted groups but separately grant ...
    (microsoft.public.win2000.group_policy)
  • Re: help with use of restricted groups and individual rights assigment
    ... >accounts to admin group on the workstations. ... >How do i continue using GPO restricted groups but separately grant ...
    (microsoft.public.win2000.group_policy)
  • Re: Help on Restricting Users
    ... Take a look at the 'Restricted Groups' GPO. ... Remember that, by default, the group 'Domain Users' is a member of the local ... 'Users' group on all of the computers. ... If you decide to use the Restricted Groups GPO (which I would highly ...
    (microsoft.public.win2000.active_directory)
  • Re: Restricted Groups not taking effect right away
    ... in the GPO restricted group: ... I created a GPO that adds the "NL7Pilot" group as a member of the Local ... Administrators group through Restricted Groups, ...
    (microsoft.public.win2000.group_policy)
Loading