Avatar of swpa_wnt
Flag for United States of America

asked on 

Local Admin rights with logon script

Does anyone know of a way to add a specific group to the local admin account of multiple user machines which do not grant the end user local admin rights.  99% of our users have had their local admin rights taken away. We did this for varioius reasons. One of which was users kept removing the desktop admin accounts from the local admin group on their PC. I fixed that with a simple logon script using (net localgroup administrators "mydomain\desktop admins" /add) to a GPO logon script I have. The problem I have now is that this doesn't work anymore since we've taken away the local admin rights of the users.

My question is this. I know I can add the same logon script as a GPO under the computer configuration so it will run at startup and bypass the required local admin credential issue. Is there any other way to do this ? I'm asking because I don't want to move all my computer accounts to the various OU's I have setup in AD to make this work.  Oh, and adding the group to each machine one at a time using the computer manager isn't a road I want to follow either.

Windows XPActive Directory

Avatar of undefined
Last Comment
Mike Kline

8/22/2022 - Mon