Solved

Create login script to make users local administrator

Posted on 2006-11-28
5
321 Views
Last Modified: 2012-05-05
I have a piece of software on a network that requires the user to be a local administrator. I already add network printers and shares for the when users login to the w2k3 domain through a login script. Is it possible to add some code that will make the user a local administrator? I have tried a few things I found on other ee questions but none have worked right for me.

thanks
0
Comment
Question by:DotFoil
  • 2
5 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 18033002
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18033388
I prefer Jay_Jay70's suggestion of Restricted Groups, but below is a little batch file I have used. Good option if you quickly want to add a few users from time to time.:

Copy from the Windows 2000 Resource Kit or from http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/ 
the file cusrmgr.exe and put it in a folder of your choice. I recommend doing this from the domain controller but works from any workstation in the domain so long as you are logged in as a domain admin.
In the same folder create a batch file named Add.bat and insert the text below;
==========================================================================

:: Batch file to add username %1 to local Administrators group on Computer %2
Echo off
CLS
If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
Echo Add %1 to %2 >>UserAdd.log
cusrmgr.exe -m \\%2 -alg "Administrators" -u %1 >> UserAdd.log

==========================================================================
Now simply run by going to a command prompt. Change to the directory where you put your files and enter:
   Add username computername
You can substitute groupname for username. If there is a space such as Domain Users enclose in quotes: "Domain Users"
I thought the username had to be in username@domain.local but the basic name seems to work fine, if you have problems use the long form. No "\\" are necessary for the computername.
It will also create a log file named UserAdd.log where you can check for success or errors.
0
 
LVL 10

Expert Comment

by:ryangorman
ID: 18035238
I don't like Restricted groups because "When you configure the members of a group, it will overwrite the existing membership of the group and replace the members with those specified within the GPO.". This limits the usefulness of RG for me.

See http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21134622.html for SaintBA's VBS solution or use see my amendment of RobWill's batch file. Change set @User=Domain\Username to match your requirements.

:: Batch file to add specific username to local Administrators group for each computer in workstations.txt
Echo off
setlocal
CLS
set @User=Domain\Username

If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
for /f %%i in (workstations.txt) do call :parse %%i

goto end

:parse
Echo Add %@User% to %2 >>UserAdd.log
cusrmgr.exe -m \\%1 -alg "Administrators" -u "%@User%" >> UserAdd.log

:end
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18036833
Restricted groups has 2 options "members of this group" (normal) and "This group is a member of". The latter will allow you to add members to a local administrators group, where the former as suggested, will replace all existing members except the Administrator account.

Note: Be careful using restricted groups that you don't apply it to your domain controller, or if you do so be very careful as it is possible to lock yourself out, even as a domain administrator.

Some useful Restricted groups links:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx   <READ CAUTION SEGMENT>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sce_res_group.mspx
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.msresource.net/content/view/45/47
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now