Solved

Create login script to make users local administrator

Posted on 2006-11-28
5
317 Views
Last Modified: 2012-05-05
I have a piece of software on a network that requires the user to be a local administrator. I already add network printers and shares for the when users login to the w2k3 domain through a login script. Is it possible to add some code that will make the user a local administrator? I have tried a few things I found on other ee questions but none have worked right for me.

thanks
0
Comment
Question by:DotFoil
  • 2
5 Comments
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
Comment Utility
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I prefer Jay_Jay70's suggestion of Restricted Groups, but below is a little batch file I have used. Good option if you quickly want to add a few users from time to time.:

Copy from the Windows 2000 Resource Kit or from http://www.activexperts.com/activmonitor/windowsmanagement/reskit2000/
the file cusrmgr.exe and put it in a folder of your choice. I recommend doing this from the domain controller but works from any workstation in the domain so long as you are logged in as a domain admin.
In the same folder create a batch file named Add.bat and insert the text below;
==========================================================================

:: Batch file to add username %1 to local Administrators group on Computer %2
Echo off
CLS
If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
Echo Add %1 to %2 >>UserAdd.log
cusrmgr.exe -m \\%2 -alg "Administrators" -u %1 >> UserAdd.log

==========================================================================
Now simply run by going to a command prompt. Change to the directory where you put your files and enter:
   Add username computername
You can substitute groupname for username. If there is a space such as Domain Users enclose in quotes: "Domain Users"
I thought the username had to be in username@domain.local but the basic name seems to work fine, if you have problems use the long form. No "\\" are necessary for the computername.
It will also create a log file named UserAdd.log where you can check for success or errors.
0
 
LVL 10

Expert Comment

by:ryangorman
Comment Utility
I don't like Restricted groups because "When you configure the members of a group, it will overwrite the existing membership of the group and replace the members with those specified within the GPO.". This limits the usefulness of RG for me.

See http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21134622.html for SaintBA's VBS solution or use see my amendment of RobWill's batch file. Change set @User=Domain\Username to match your requirements.

:: Batch file to add specific username to local Administrators group for each computer in workstations.txt
Echo off
setlocal
CLS
set @User=Domain\Username

If Exist UserAdd.log GoTo START
Echo Results from Add.bat > UserAdd.log
Echo Note: "Failure" usually indicates user/group etc. already exists in local group >> UserAdd.log
Echo       "Can not get SID" usually indicates Computer name is wrong or unavailable >> UserAdd.log
:START
Echo. >>UserAdd.log
for /f %%i in (workstations.txt) do call :parse %%i

goto end

:parse
Echo Add %@User% to %2 >>UserAdd.log
cusrmgr.exe -m \\%1 -alg "Administrators" -u "%@User%" >> UserAdd.log

:end
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Restricted groups has 2 options "members of this group" (normal) and "This group is a member of". The latter will allow you to add members to a local administrators group, where the former as suggested, will replace all existing members except the Administrator account.

Note: Be careful using restricted groups that you don't apply it to your domain controller, or if you do so be very careful as it is possible to lock yourself out, even as a domain administrator.

Some useful Restricted groups links:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scerestrictgroups.mspx   <READ CAUTION SEGMENT>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sce_res_group.mspx
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://www.msresource.net/content/view/45/47
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now