Link to home
Create AccountLog in
Avatar of Ahmed Abdel Salam
Ahmed Abdel Salam

asked on

Script to add local user to all domain pcs

I am looking for script to add local user to all machines under the domain.
Avatar of pjasnos
pjasnos
Flag of United Kingdom of Great Britain and Northern Ireland image

tried:

net user %COMPUTERNAME%\user password /ADD

?
(and setting is as computer startup script in GP)
Avatar of Brian Pierce
You can use the restricted groups facility.
First create a security group and put the user(s) account in the group (this will make it easier to add or remove other users if needs change). Lect assume its called LAdmins

Either create ot modify a group policy (the default domain policy for example)

Go to Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group

Select the group name you want to restrict ie. (Administrators)

Select the group and add the LAdmins domain group/

Note you need to run gpupdate /force for the policy to be applied and users may need to log off/on for the polict to be applied.
In addition to KCTS: Please note that this procedure overwrites the former members of the group, so make sure that you don't miss users.
I recommend pjasnos solution but look at the syntax, it should be net localgroup. net help localgroup will help you.
Avatar of Ahmed Abdel Salam
Ahmed Abdel Salam

ASKER

I think there is some miss understanding in quoestion. I would like to add user called 123 as a local user (member of local users group) on 200 pcs under my domain network .
I would like to this through scrript or GP so no need to go for each pc and do it manualy
also it will be very good if I can make this user can't change his password
The method I suggested (restricted groups) can do this. If you use a GPO it applies to all machines.

However, as with all these things its NOT good practive to give these rights to a user, put the user in a group, and then give the rights to the group - even if there is only one user in the group to begin with - it makes its easier to change/remove/add users later on if needs be.

See http://support.microsoft.com/kb/810076
:: ================
:: READ THIS FIRST
:: ================
:: * You need to have Administrative rights to run this script
:: * This script require "Computers.txt" file from where it will pick computer names.
:: * This script requires "PSExec.exe" (comes with PSTools) to execute bat file on remote system.
::     - Download it from Microsoft site
::       http://www.microsoft.com/technet/sysinternals/utilities/psexec.mspx
:: * You need to set 'UserName' and 'UserPassword' variables inside the script
::    - Like:
::              SET UserName=FKazi
::              SET UserPassword=P@ssw0rd
:: * Copy and Paste following script into notepad and save it with any name having .cmd extension.
:: SCRIPT START
@ECHO OFF
SETLOCAL EnableDelayedExpansion

:: Following variables required to set with actual values
SET UserName=FKazi
SET UserPassword=MyPassword

ECHO NET USER "%UserName%" "%UserPassword%" /ADD 2^>NUL^>NUL>UserInfo.cmd
ECHO NET LOCALGROUP Administrators "%UserName%" /ADD 2^>NUL^>NUL>>UserInfo.cmd
IF NOT EXIST Computers.txt Goto ShowErr
FOR %%R IN (Computers.txt) Do IF %%~zR EQU 0 Goto ShowErr
FOR /F %%c IN ('Type Computers.txt') Do (
      IF /I NOT "%%c"=="!COMPUTERNAME!" (
            Echo Processing: %%c
            PING -n 1 -w 1000 %%c|Find /I "TTL" >NUL
            IF NOT ErrorLevel 1 (
                  COPY /Y UserInfo.cmd \\%%c\C$\ >NUL
                  PSExec \\%%c C:\UserInfo.cmd >NUL
                  IF EXIST \\%%c\C$\UserInfo.cmd DEL /F /Q \\%%c\C$\UserInfo.cmd
            )ELSE (Echo %%c: Unable to connect)
      )ELSE (ECHO Skipping: %%c)
)      
Goto EndScript
:ShowErr
Echo "Computers.txt" file does not exist or file is empty!
:EndScript
IF EXIST UserInfo.cmd DEL /F /Q UserInfo.cmd
ENDLOCAL
EXIT /B 0
:: SCRIPT END
KCTS
is it possible to make this user member of local users only not a member of local administrators? and is it possible to apply you method incase this user is not a dmonain user ?
please explain in more details how to do it.
KCTS, the restricted group method won't create any local group, nor any local user, will it? At least it doesn't in a win2k domain. The users and groups have to exist locally prior to configuring them through restricted groups. Or how do you do it?
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Forced accept.
modus_operandi
EE Moderator