Solved

Create login script to make users local administrator

Posted on 2006-11-28
5
322 Views
Last Modified: 2012-05-05
I have a piece of software on a network that requires the user to be a local administrator. I already add network printers and shares for the when users login to the w2k3 domain through a login script. Is it possible to add some code that will make the user a local administrator? I have tried a few things I found on other ee questions but none have worked right for me.

thanks
0
Comment
Question by:DotFoil
  • 2
5 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 18033002
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18033388
I prefer Jay_Jay70's suggestion of Restricted Groups, but below is a little batch file I have used. Good option if you quickly want to add a few users from time to time.:

Copy from the Windows 2000 Resource Kit or from http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/ 
the file cusrmgr.exe and put it in a folder of your choice. I recommend doing this from the domain controller but works from any workstation in the domain so long as you are logged in as a domain admin.
In the same folder create a batch file named Add.bat and insert the text below;
==========================================================================

:: Batch file to add username %1 to local Administrators group on Computer %2
Echo off
CLS
If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
Echo Add %1 to %2 >>UserAdd.log
cusrmgr.exe -m \\%2 -alg "Administrators" -u %1 >> UserAdd.log

==========================================================================
Now simply run by going to a command prompt. Change to the directory where you put your files and enter:
   Add username computername
You can substitute groupname for username. If there is a space such as Domain Users enclose in quotes: "Domain Users"
I thought the username had to be in username@domain.local but the basic name seems to work fine, if you have problems use the long form. No "\\" are necessary for the computername.
It will also create a log file named UserAdd.log where you can check for success or errors.
0
 
LVL 10

Expert Comment

by:ryangorman
ID: 18035238
I don't like Restricted groups because "When you configure the members of a group, it will overwrite the existing membership of the group and replace the members with those specified within the GPO.". This limits the usefulness of RG for me.

See http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21134622.html for SaintBA's VBS solution or use see my amendment of RobWill's batch file. Change set @User=Domain\Username to match your requirements.

:: Batch file to add specific username to local Administrators group for each computer in workstations.txt
Echo off
setlocal
CLS
set @User=Domain\Username

If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
for /f %%i in (workstations.txt) do call :parse %%i

goto end

:parse
Echo Add %@User% to %2 >>UserAdd.log
cusrmgr.exe -m \\%1 -alg "Administrators" -u "%@User%" >> UserAdd.log

:end
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18036833
Restricted groups has 2 options "members of this group" (normal) and "This group is a member of". The latter will allow you to add members to a local administrators group, where the former as suggested, will replace all existing members except the Administrator account.

Note: Be careful using restricted groups that you don't apply it to your domain controller, or if you do so be very careful as it is possible to lock yourself out, even as a domain administrator.

Some useful Restricted groups links:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx   <READ CAUTION SEGMENT>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sce_res_group.mspx
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.msresource.net/content/view/45/47
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now