Solved

Create login script to make users local administrator

Posted on 2006-11-28
5
325 Views
Last Modified: 2012-05-05
I have a piece of software on a network that requires the user to be a local administrator. I already add network printers and shares for the when users login to the w2k3 domain through a login script. Is it possible to add some code that will make the user a local administrator? I have tried a few things I found on other ee questions but none have worked right for me.

thanks
0
Comment
Question by:DotFoil
  • 2
5 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 18033002
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18033388
I prefer Jay_Jay70's suggestion of Restricted Groups, but below is a little batch file I have used. Good option if you quickly want to add a few users from time to time.:

Copy from the Windows 2000 Resource Kit or from http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/ 
the file cusrmgr.exe and put it in a folder of your choice. I recommend doing this from the domain controller but works from any workstation in the domain so long as you are logged in as a domain admin.
In the same folder create a batch file named Add.bat and insert the text below;
==========================================================================

:: Batch file to add username %1 to local Administrators group on Computer %2
Echo off
CLS
If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
Echo Add %1 to %2 >>UserAdd.log
cusrmgr.exe -m \\%2 -alg "Administrators" -u %1 >> UserAdd.log

==========================================================================
Now simply run by going to a command prompt. Change to the directory where you put your files and enter:
   Add username computername
You can substitute groupname for username. If there is a space such as Domain Users enclose in quotes: "Domain Users"
I thought the username had to be in username@domain.local but the basic name seems to work fine, if you have problems use the long form. No "\\" are necessary for the computername.
It will also create a log file named UserAdd.log where you can check for success or errors.
0
 
LVL 10

Expert Comment

by:ryangorman
ID: 18035238
I don't like Restricted groups because "When you configure the members of a group, it will overwrite the existing membership of the group and replace the members with those specified within the GPO.". This limits the usefulness of RG for me.

See http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21134622.html for SaintBA's VBS solution or use see my amendment of RobWill's batch file. Change set @User=Domain\Username to match your requirements.

:: Batch file to add specific username to local Administrators group for each computer in workstations.txt
Echo off
setlocal
CLS
set @User=Domain\Username

If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
for /f %%i in (workstations.txt) do call :parse %%i

goto end

:parse
Echo Add %@User% to %2 >>UserAdd.log
cusrmgr.exe -m \\%1 -alg "Administrators" -u "%@User%" >> UserAdd.log

:end
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18036833
Restricted groups has 2 options "members of this group" (normal) and "This group is a member of". The latter will allow you to add members to a local administrators group, where the former as suggested, will replace all existing members except the Administrator account.

Note: Be careful using restricted groups that you don't apply it to your domain controller, or if you do so be very careful as it is possible to lock yourself out, even as a domain administrator.

Some useful Restricted groups links:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx   <READ CAUTION SEGMENT>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sce_res_group.mspx
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.msresource.net/content/view/45/47
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Dentrix G4 1 76
Event ID: 2005 / Source: Microsoft-Windows-PerfNet 4 105
Bizarre hard disk problem 15 132
domain controller migration seems succesful, however.... 9 75
So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question