Avatar of swpa_wnt
swpa_wntFlag for United States of America asked on

Local Admin rights with logon script

Does anyone know of a way to add a specific group to the local admin account of multiple user machines which do not grant the end user local admin rights.  99% of our users have had their local admin rights taken away. We did this for varioius reasons. One of which was users kept removing the desktop admin accounts from the local admin group on their PC. I fixed that with a simple logon script using (net localgroup administrators "mydomain\desktop admins" /add) to a GPO logon script I have. The problem I have now is that this doesn't work anymore since we've taken away the local admin rights of the users.

My question is this. I know I can add the same logon script as a GPO under the computer configuration so it will run at startup and bypass the required local admin credential issue. Is there any other way to do this ? I'm asking because I don't want to move all my computer accounts to the various OU's I have setup in AD to make this work.  Oh, and adding the group to each machine one at a time using the computer manager isn't a road I want to follow either.

Windows XPActive Directory

Avatar of undefined
Last Comment
Mike Kline

8/22/2022 - Mon

I would suggest using group policy to  add users to the local "Power users" group instead of having any local admins.


Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

I have the GPO ready to go with the startup I'm just hesitating to deploy it because I really don't want to move all those machines into all those different OU's. I may just create an OU called PC's and move them all into that and apply my policy there.

That would work just fine.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

HI there
did you see my last post explaining that you can just create a group.
Link the group to the GPO (i can show you how if you're not sure - its very easy)
put the machines you want to effect into the group, you can even just put 1 machine in to test first, then add more after.

The group can be anywhre you like so its not OU dependant.

Mike Kline

What Krys is describing is known as security filtering and like he said we can help with that.
If you feel more comfortable with your method that works fine too for testing.
Either way great job on testing first, you always want to do that with group policies.