Re: Loginscript is lacking credentials.........

Hi Paul.
That is ofcourse the way to do it.
I totally forgot about that one.
Thanks a lot.

regards
Patrik

"Paul Bergson" wrote:

You could use the restricted user group gpo setting


computer configuration \ windows settings \ restricted groups

group = your group to be made local admins
member of = BUILTIN\Administrators



http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx


There is absolutely nothing that has to be done on the client side.

Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.



--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSi
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Patrik_L" <PatrikL@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5C573B66-1095-46CC-B787-7AF8D18D8430@xxxxxxxxxxxxxxxx
Hi
In my loginscript, that I execute via GPO, I have code that adds a certain
domain group (admin group) to the local administrators group of the
underlying computer.

Now I have come to realize that, unless the user who is loggin on to the
machine is a member of the local administrators group him/herself, this
does
not work.
Hence, it appears that the login script is executed with the same
permissions as the user logging in!?

I was under the impressions that all GPO's ran with top admin credentials.
If this is not the case, how do I make the script run with admin
credetials ?

Thanks
Patrik




.

Relevant Pages

  • Re: Active Directory: General Access denied
    ... your account is not a member of the local Administrators group on one of the ... You can redirect the output of the script to a text file. ... the local Administrators group when the computer is joined to the domain. ... ' Adds the list of users from users.txt to the local admin group on ...
    (microsoft.public.scripting.vbscript)
  • Re: run script as local admin fails
    ... The problem i am seeing is I am logged in as a local admin and the local ... Logon as a member of the Domain Admins group. ... Admins is a member of the local Administrators group on all computers joined ... In order to bind to domain user objects, ...
    (microsoft.public.windows.server.scripting)
  • Re: Cant add domain administrator to directory users names
    ... > machine is definitely a member of the domain though. ... Maybe delete the machine account and rejoin the domain? ... domain_name\Domain Admins group to the local administrators group? ... I have local admin on my XP Professional machine through a domain ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Renamed local admin not enough rights
    ... The Domain Admins are member of the local administrators group. ... Indeed, if one logs on as a domain admin, no issues occur. ...
    (microsoft.public.win2000.active_directory)
  • RE: Windows 2000 security
    ... domain admin from doing anything), ... "Administrator" account of the windows domain of which a machine is a member ... Any security settings in a Windows 2000 domain are managed at the domain ...
    (Security-Basics)