Re: Domain user to local administrators group
- From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 30 Sep 2009 09:03:53 -0400
Richard Mueller [MVP] <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote:
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:udvAj7RQKHA.3876@xxxxxxxxxxxxxxxxxxxxxxx
alimk <alimk.3z507c@xxxxxxxxxxxxx> wrote:
Hi Everyone,
I need a VB Script for adding domain users to be a member of local
administrators group.
Thanks in Advance.
Why does it especially need to be vbscript? A simple batch file
startup script in a GPO will do this. My advice would be to set up a
universal security group called LocalAdmin in AD. Add the users you
wish to it Use this in a batch file assigned as a startup script via
GPO...
net localgroup administrators DOMAIN\localadmin /add
I would recommend that this not be done in a logon script,
Nor I - that's why I suggested a startup script. Users will never see it.
(and this wouldn't work in a login script anyway because it would run in the
user context, and require that the user have admin rights). It isn't the
most elegant solution, but it sure is simple.
whether
batch file or VBScript, because normal users should not have
permission and administrator credentials should not be exposed in a
logon script. Also, if done in a logon script the task can be
repeated over and over, and yet you don't know when the task is
complete for each computer.
Yes, true for a startup script as well, but this is such a simple thing that
it doesn't hurt anything to re-add. The only thing that will happen when you
run the command is that it will say (not visible to anyone) that the group
is already a member of the group, and move on. It takes no time at all. And
it ensures that any new PC added to the domain will get this setting.
The VBScript program has the advantage of
checking first to see if the user/group needs to be added, but unless
it logs to a shared file, you still don't know when the task is
complete.
Better is to add the user or group to the local Administrators group
remotely yourself. The VBScript example I posted can be run remotely,
as long as the person is a member of the Domain Admins group, which
by default should be a member of the local Administrators group for
all computers joined to the domain. You could code a script to do
this in bulk for all computers, or computer names read from a text
file.
An even better solution is to use the Restricted Groups feature of
Group Policy. Again, a domain group should be added to all local
Administrators groups, so it can be managed easily in AD. See these
links for details:
Yes, that's a very good option. The reason I don't generally use it is that
I
sometimes want different PCs to have different local group membership.
http://support.microsoft.com/kb/279301
http://technet.microsoft.com/en-us/library/cc785631(WS.10).aspx
http://support.microsoft.com/kb/810076
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
BTW, I generally bow before your scripting prowess, you know. :-)
.
- References:
- Re: Domain user to local administrators group
- From: Lanwench [MVP - Exchange]
- Re: Domain user to local administrators group
- From: Richard Mueller [MVP]
- Re: Domain user to local administrators group
- Prev by Date: Re: Sysocmgr.exe tool you can add or remove Windows components.
- Next by Date: Re: Sysocmgr.exe tool you can add or remove Windows components.
- Previous by thread: Re: Domain user to local administrators group
- Next by thread: WMI connect server error 'Access denied'
- Index(es):
Relevant Pages
|
