Ahmed Abdel Salam
asked on
Script to add local user to all domain pcs
I am looking for script to add local user to all machines under the domain.
(and setting is as computer startup script in GP)
You can use the restricted groups facility.
First create a security group and put the user(s) account in the group (this will make it easier to add or remove other users if needs change). Lect assume its called LAdmins
Either create ot modify a group policy (the default domain policy for example)
Go to Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group
Select the group name you want to restrict ie. (Administrators)
Select the group and add the LAdmins domain group/
Note you need to run gpupdate /force for the policy to be applied and users may need to log off/on for the polict to be applied.
First create a security group and put the user(s) account in the group (this will make it easier to add or remove other users if needs change). Lect assume its called LAdmins
Either create ot modify a group policy (the default domain policy for example)
Go to Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group
Select the group name you want to restrict ie. (Administrators)
Select the group and add the LAdmins domain group/
Note you need to run gpupdate /force for the policy to be applied and users may need to log off/on for the polict to be applied.
In addition to KCTS: Please note that this procedure overwrites the former members of the group, so make sure that you don't miss users.
I recommend pjasnos solution but look at the syntax, it should be net localgroup. net help localgroup will help you.
I recommend pjasnos solution but look at the syntax, it should be net localgroup. net help localgroup will help you.
ASKER
I think there is some miss understanding in quoestion. I would like to add user called 123 as a local user (member of local users group) on 200 pcs under my domain network .
I would like to this through scrript or GP so no need to go for each pc and do it manualy
also it will be very good if I can make this user can't change his password
I would like to this through scrript or GP so no need to go for each pc and do it manualy
also it will be very good if I can make this user can't change his password
The method I suggested (restricted groups) can do this. If you use a GPO it applies to all machines.
However, as with all these things its NOT good practive to give these rights to a user, put the user in a group, and then give the rights to the group - even if there is only one user in the group to begin with - it makes its easier to change/remove/add users later on if needs be.
See http://support.microsoft.com/kb/810076
However, as with all these things its NOT good practive to give these rights to a user, put the user in a group, and then give the rights to the group - even if there is only one user in the group to begin with - it makes its easier to change/remove/add users later on if needs be.
See http://support.microsoft.com/kb/810076
:: ================
:: READ THIS FIRST
:: ================
:: * You need to have Administrative rights to run this script
:: * This script require "Computers.txt" file from where it will pick computer names.
:: * This script requires "PSExec.exe" (comes with PSTools) to execute bat file on remote system.
:: - Download it from Microsoft site
:: http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx
:: * You need to set 'UserName' and 'UserPassword' variables inside the script
:: - Like:
:: SET UserName=FKazi
:: SET UserPassword=P@ssw0rd
:: * Copy and Paste following script into notepad and save it with any name having .cmd extension.
:: SCRIPT START
@ECHO OFF
SETLOCAL EnableDelayedExpansion
:: Following variables required to set with actual values
SET UserName=FKazi
SET UserPassword=MyPassword
ECHO NET USER "%UserName%" "%UserPassword%" /ADD 2^>NUL^>NUL>UserInfo.cmd
ECHO NET LOCALGROUP Administrators "%UserName%" /ADD 2^>NUL^>NUL>>UserInfo.cmd
IF NOT EXIST Computers.txt Goto ShowErr
FOR %%R IN (Computers.txt) Do IF %%~zR EQU 0 Goto ShowErr
FOR /F %%c IN ('Type Computers.txt') Do (
IF /I NOT "%%c"=="!COMPUTERNAME!" (
Echo Processing: %%c
PING -n 1 -w 1000 %%c|Find /I "TTL" >NUL
IF NOT ErrorLevel 1 (
COPY /Y UserInfo.cmd \\%%c\C$\ >NUL
PSExec \\%%c C:\UserInfo.cmd >NUL
IF EXIST \\%%c\C$\UserInfo.cmd DEL /F /Q \\%%c\C$\UserInfo.cmd
)ELSE (Echo %%c: Unable to connect)
)ELSE (ECHO Skipping: %%c)
)
Goto EndScript
:ShowErr
Echo "Computers.txt" file does not exist or file is empty!
:EndScript
IF EXIST UserInfo.cmd DEL /F /Q UserInfo.cmd
ENDLOCAL
EXIT /B 0
:: SCRIPT END
:: READ THIS FIRST
:: ================
:: * You need to have Administrative rights to run this script
:: * This script require "Computers.txt" file from where it will pick computer names.
:: * This script requires "PSExec.exe" (comes with PSTools) to execute bat file on remote system.
:: - Download it from Microsoft site
:: http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx
:: * You need to set 'UserName' and 'UserPassword' variables inside the script
:: - Like:
:: SET UserName=FKazi
:: SET UserPassword=P@ssw0rd
:: * Copy and Paste following script into notepad and save it with any name having .cmd extension.
:: SCRIPT START
@ECHO OFF
SETLOCAL EnableDelayedExpansion
:: Following variables required to set with actual values
SET UserName=FKazi
SET UserPassword=MyPassword
ECHO NET USER "%UserName%" "%UserPassword%" /ADD 2^>NUL^>NUL>UserInfo.cmd
ECHO NET LOCALGROUP Administrators "%UserName%" /ADD 2^>NUL^>NUL>>UserInfo.cmd
IF NOT EXIST Computers.txt Goto ShowErr
FOR %%R IN (Computers.txt) Do IF %%~zR EQU 0 Goto ShowErr
FOR /F %%c IN ('Type Computers.txt') Do (
IF /I NOT "%%c"=="!COMPUTERNAME!" (
Echo Processing: %%c
PING -n 1 -w 1000 %%c|Find /I "TTL" >NUL
IF NOT ErrorLevel 1 (
COPY /Y UserInfo.cmd \\%%c\C$\ >NUL
PSExec \\%%c C:\UserInfo.cmd >NUL
IF EXIST \\%%c\C$\UserInfo.cmd DEL /F /Q \\%%c\C$\UserInfo.cmd
)ELSE (Echo %%c: Unable to connect)
)ELSE (ECHO Skipping: %%c)
)
Goto EndScript
:ShowErr
Echo "Computers.txt" file does not exist or file is empty!
:EndScript
IF EXIST UserInfo.cmd DEL /F /Q UserInfo.cmd
ENDLOCAL
EXIT /B 0
:: SCRIPT END
ASKER
KCTS
is it possible to make this user member of local users only not a member of local administrators? and is it possible to apply you method incase this user is not a dmonain user ?
please explain in more details how to do it.
is it possible to make this user member of local users only not a member of local administrators? and is it possible to apply you method incase this user is not a dmonain user ?
please explain in more details how to do it.
KCTS, the restricted group method won't create any local group, nor any local user, will it? At least it doesn't in a win2k domain. The users and groups have to exist locally prior to configuring them through restricted groups. Or how do you do it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Forced accept.
modus_operandi
EE Moderator
modus_operandi
EE Moderator
net user %COMPUTERNAME%\user password /ADD
?