Re: XP users domain account to local admin group through script
- From: "Frodd" <Frodd@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 15 Nov 2005 23:50:01 -0800
Thank you for you answer, Iíi check in to your suggestions.
Regards
/Fredrik
--
AD/Exchange admin, 2003.
"maximillianx" skrev:
> If talking about a particular 'logged on user' the problem with the startup
> script is that the currently logged on user isn't known yet to the system,
> but I can see how the groups by OU could work out (according to the JSI
> tip).
>
> Fredrik -
>
> You'd almost have to have some sort of regkey or file where computer
> ownership information would be stored (i.e. - 'user_a' = 'computer_a').
> Then, you could write your script so it could query the information for the
> assigned username and add it that way.
>
> Logon scripts would be a problem, since this type of action would require
> the exact administrative privileges that you were trying to grant in order
> to grant them. Remember that there is a difference between logon scripts
> (which occur AFTER the user logs in using the user's credentials) and
> startup scripts (which occur BEFORE the user logs in using the local system
> credentials).
>
> One alternative may be to use something like cpau.exe (create process as
> user), which you can create encoded .job files that contain proper
> credentials to perform administrative tasks. I don't know how secure this
> would be, really...but it is an option. However, that being said, I believe
> that you would have to log out and back in again to fully take advantage of
> the admin rights that you just applied.
>
> Myself, I'd lean toward updating the local system registry with some sort of
> 'owner' information where the userid would be stored. Then, when you run a
> startup script (not logon) prior to the user logon process, it could query
> this info and add the username to the local admin group before the user
> enters their credentials.
>
> Hope this helps,
> Rob
>
> "Jerold Schulman" <Jerry@xxxxxxxxxx> wrote in message
> news:f5ujn151buqbvif93cmueo6q8aitee11qj@xxxxxxxxxx
> >
> > Either do it in a Startup script,
> > or use tip 5319 » How do I create a global group, so that it is a member
> > of the local administrators group on all workstations and member servers,
> > by using group policy restricted groups?
> > in the 'Tips & Tricks' at http://www.jsifaq.com
> >
> >
> >
> >
> > On Tue, 15 Nov 2005 06:36:04 -0800, "Frodd"
> > <Frodd@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> >>Hi,
> >>I´m trying to place XP users domain account in the local administrators
> >>group through a login script in a GPO. There is some permission problem
> >>for
> >>the user to place their own user account in the local administrators group
> >>through the script. Is the anyone who can help me out to solve this
> >>issue?
> >>
> >>login script:
> >>
> >>Dim DomainName
> >>Dim objNet, strUserName
> >>Set objNet = CreateObject("Wscript.Network")
> >>strUserName =objNet.UserName
> >>Set net = WScript.CreateObject("WScript.Network")
> >>local = net.ComputerName
> >>DomainName = "business"
> >>set group = GetObject("WinNT://"& local &"/Administrators")
> >>on error resume next
> >>group.Add "WinNT://"& DomainName &"/"& strUserName &""
> >>CheckError
> >>sub CheckError
> >>if not err.number=0 then
> >>set ole = CreateObject("ole.err")
> >>MsgBox ole.oleError(err.Number), vbCritical
> >>err.clear
> >>else
> >>'MsgBox "Done."
> >>end if
> >>end sub
> >>
> >>Regards
> >>/Fredrik
> >
> > Jerold Schulman
> > Windows Server MVP
> > JSI, Inc.
> > http://www.jsiinc.com
> > http://www.jsifaq.com
>
>
>
.
- References:
- Re: XP users domain account to local admin group through script
- From: Jerold Schulman
- Re: XP users domain account to local admin group through script
- Prev by Date: [MSH] get-childitem - quick way to find/sort on number children
- Next by Date: Add computer name to text file
- Previous by thread: Re: XP users domain account to local admin group through script
- Next by thread: Re: Adding a field birthday to user template in AD
- Index(es):
Relevant Pages
|
