Re: User type

From: "John Leonard - Sage" <sagegrp@xxxxxxxxxxxx>
Date: Fri, 7 Oct 2005 09:26:33 -0400

This does help Mike - thanks

I still have to go to each workstation and add the BAT file to the startup.

I was hoping to avoid that.

"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
news:OrOSjoJyFHA.3624@xxxxxxxxxxxxxxxxxxxxxxx
> If the computer is member of domain then you should use domain user
> accounts. You could create new domain user account that is not member of
> Domain Administrators group (actually you only leave it in default
> group -- Domain User). Add this computer account to new domain group
> called e.g. "Local Admins"
>
> After you have this account and group created you can write a short script
> that will add "Local Admins" group to the "Administrators" group in local
> administrator and make your users local administrators. The script can be
> something like this:
>
> net localgroup administrators "Domain\Local Admins" /add
>
> Replace Domain with netbios name of domain where and Local_Admins is
> domain group where your users who need to be local admins are located. Put
> above command in batch file and run it as startup script (not logon
> script) using your Active Directory. This way you don't have to go from
> computer to computer to make changes to your PCs. After restart of your
> domain computers above script will run and add domain group to local
> Administrators group and your users will have administrative permissions
> on every computer in domain where script run.
>
> I hope this helps,
>
> --
> Mike
> Microsoft MVP - Windows Security
>
>
> "John Leonard - Sage" <sagegrp@xxxxxxxxxxxx> wrote in message
> news:ecqnBbtwFHA.1028@xxxxxxxxxxxxxxxxxxxxxxx
>>I want them to authenticate from a client computer (local) and have admin
>>rights on that.
>>
>> They have romaing profiles.
>>
>>
>> "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
>> news:OkTmex6vFHA.3300@xxxxxxxxxxxxxxxxxxxxxxx
>>> OK lets go back a bit. Where would you like them to be Administrators
>>> (e.g. on their own PCs) and what tasks do they need to perform.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>>
>>> "John Leonard - Sage" <sagegrp@xxxxxxxxxxxx> wrote in message
>>> news:OCuz7E4vFHA.1716@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Ok - I'm confused.
>>>>
>>>> Are you telling me to create the Local_Admins folder on the domain (as
>>>> a domain group) under active directory and then go to each computer
>>>> aand add the startup command line to the local policy?
>>>>
>>>> or
>>>>
>>>> Do I do it all on the local computer/client?
>>>>
>>>> I was hoping for a simple - one step for all- solution. I am constantly
>>>> changing the users in this group.
>>>>
>>>> thx
>>>> "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
>>>> news:%23DWLxbDnFHA.3256@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> Hi,
>>>>>
>>>>> If you would like to make a group of users only local administrators
>>>>> on the computers in e.g. domain then add domain group with these yours
>>>>> that you created to Local Administrators group on the computers. You
>>>>> can do it manually or using script
>>>>>
>>>>> The way I usually do it is by using a script like this
>>>>>
>>>>> net localgroup administrators "Domain\Local_Admins" /add
>>>>>
>>>>> Replace Domain with netbios name of domain where and Local_Admins is
>>>>> domain group where your users who need to be local admins are located.
>>>>> Put above command in batch file and run it as startup script (not
>>>>> logon script).
>>>>>
>>>>> This will make members of Local_Admins group local administrators on
>>>>> the computers where script will run, while they won't be domain
>>>>> administrators.
>>>>>
>>>>> I hope it helps you out,
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>>
>>>>> "John Leonard - Sage" <sagegrp@xxxxxxxxxxxx> wrote in message
>>>>> news:OG93AtBnFHA.3448@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>> How do I setup a group of users, to be administrators, without adding
>>>>>> them to the Domanin Admin group?
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

.

Follow-Ups:
- Re: User type
  - From: John Leonard - Sage

References:
- Re: User type
  - From: Miha Pihler [MVP]

Prev by Date: Re: IP Routing Issue
Next by Date: Unattended Installation of Windows 2003
Previous by thread: Re: User type
Next by thread: Re: User type
Index(es):
- Date
- Thread

Relevant Pages

Re: How to determine if logged on user is an Administrator?
... I have a sample VBScript program to determine if a domain user is a member ... the local Administrators group has not been renamed. ... can silently fail and exit the script. ...
(microsoft.public.scripting.vbscript)
Add domain account to local administrators
... A Script that will add a logged in domain user to local administrators group ...
(microsoft.public.scripting.vbscript)
Re: Identifying the User Logged on to a Remote Computer - not always working
... Torgeir, thanks for your reply. ... Otherwise the script would be useless to me since all of our users are not ... administrators. ... >> null as answer even though a domain user is logged on. ...
(microsoft.public.windows.server.scripting)
Adding a domain user to the local Administrators Group
... Does anyone know if there is a way to add a domain user to the local ... Administrators group using a script? ... The following script works if the user ... Mike A. ...
(microsoft.public.scripting.vbscript)
Re: scripting help needed
... This cannot be done in a logon script, as the user does not have permission ... Dim strDomain, objNetwork, strComputer ... ' Retrieve NetBIOS name of local computer. ... ' Bind to domain user with same name as NetBIOS name of computer. ...
(microsoft.public.windows.server.scripting)