Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Create login script to make users local administrator

Posted on 2006-11-28
5
Medium Priority
?
333 Views
Last Modified: 2012-05-05
I have a piece of software on a network that requires the user to be a local administrator. I already add network printers and shares for the when users login to the w2k3 domain through a login script. Is it possible to add some code that will make the user a local administrator? I have tried a few things I found on other ee questions but none have worked right for me.

thanks
0
Comment
Question by:DotFoil
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 2000 total points
ID: 18033002
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18033388
I prefer Jay_Jay70's suggestion of Restricted Groups, but below is a little batch file I have used. Good option if you quickly want to add a few users from time to time.:

Copy from the Windows 2000 Resource Kit or from http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/ 
the file cusrmgr.exe and put it in a folder of your choice. I recommend doing this from the domain controller but works from any workstation in the domain so long as you are logged in as a domain admin.
In the same folder create a batch file named Add.bat and insert the text below;
==========================================================================

:: Batch file to add username %1 to local Administrators group on Computer %2
Echo off
CLS
If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
Echo Add %1 to %2 >>UserAdd.log
cusrmgr.exe -m \\%2 -alg "Administrators" -u %1 >> UserAdd.log

==========================================================================
Now simply run by going to a command prompt. Change to the directory where you put your files and enter:
   Add username computername
You can substitute groupname for username. If there is a space such as Domain Users enclose in quotes: "Domain Users"
I thought the username had to be in username@domain.local but the basic name seems to work fine, if you have problems use the long form. No "\\" are necessary for the computername.
It will also create a log file named UserAdd.log where you can check for success or errors.
0
 
LVL 10

Expert Comment

by:ryangorman
ID: 18035238
I don't like Restricted groups because "When you configure the members of a group, it will overwrite the existing membership of the group and replace the members with those specified within the GPO.". This limits the usefulness of RG for me.

See http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21134622.html for SaintBA's VBS solution or use see my amendment of RobWill's batch file. Change set @User=Domain\Username to match your requirements.

:: Batch file to add specific username to local Administrators group for each computer in workstations.txt
Echo off
setlocal
CLS
set @User=Domain\Username

If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
for /f %%i in (workstations.txt) do call :parse %%i

goto end

:parse
Echo Add %@User% to %2 >>UserAdd.log
cusrmgr.exe -m \\%1 -alg "Administrators" -u "%@User%" >> UserAdd.log

:end
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18036833
Restricted groups has 2 options "members of this group" (normal) and "This group is a member of". The latter will allow you to add members to a local administrators group, where the former as suggested, will replace all existing members except the Administrator account.

Note: Be careful using restricted groups that you don't apply it to your domain controller, or if you do so be very careful as it is possible to lock yourself out, even as a domain administrator.

Some useful Restricted groups links:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx   <READ CAUTION SEGMENT>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sce_res_group.mspx
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.msresource.net/content/view/45/47
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question