Solved

How do I make everyone a local administrator on every PC on our network?

Posted on 2009-04-10
13
875 Views
Last Modified: 2012-06-21
i need to make everyone who logs into any of our 250 PC's a local administrator.  Which is the best way to do that through VBS or a batch file?  Thanks
0
Comment
Question by:TriCountyIT
13 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 24118216
http://www.msfn.org/board/lofiversion/index.php/t72395.html details how to accomplish this, but I must say I wouldn't recommend it.
What are you trying to accomplish that causes you to want this?
0
 
LVL 38

Accepted Solution

by:
Shift-3 earned 500 total points
ID: 24118226
You could use the command net localgroup administrators /add interactive in a startup script under the group policy node Computer Configuration\Windows Settings\Scripts\Startup.  This gives administrator rights to anybody who logs onto the machine interactively, but not to users who connect to it over the network.

You could also do this using the Restricted Groups feature.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24120992
I have to agree with sirbounty... Why would you want to do this?
0
 

Author Comment

by:TriCountyIT
ID: 24129617
There is a program that we run for our payroll hours.  It allows you to punch in on the PC.  The problem is they told us when we install the program the initial user has to be an administrator.  Everytime a new user logs in the first time to that program they  need to be an adminstrator.  That was bad enough, but now we found the user has to be an administrator to run the program everytime.  So we need a work around.  I dont like it any more than you guys do, but this is about our only option.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 24129649
-) The app designer made a boo-boo, it sounds like
-) Depending on 'what' admin creds are needed for, you may have other ways around this...

As an admin, right-click the app's program folder/properties (probably c:\program files\payroll appname) and choose security tab.  Add 'Everyone" Change ability.
(alternatively, do it from a command line using:
cacls "C:\Program Files\Payroll AppName" /e /t /g Everyone:C <Enter>

Next, you'd need to determine if admin creds are needed for any associated registry keys...  Locate those and similarly, right-click/properties and provide change permission for Everyone - ensuring that all subkeys are also updated.

If you need to determine registry access, you can grab a tool like process monitor (from MS - free tool) to monitor what access that app uses...
0
 

Author Comment

by:TriCountyIT
ID: 24129738
That worked!!  What would happen if I drop that script into a log on script.  Would it need administrative rights to run?
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 2

Expert Comment

by:jmirsky
ID: 24129758
I agree with sirbounty on this one.  I am following the same methods for our environment to be able to remove admin rights from our users.  Process Monitor is a great tool and helps a lot in the troubleshooting.  To answer your original question of how to make everyone a local admin (if you still want to do this) you could use restricted groups in a Group Policy.  

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

To accomplish this you will need to create a new Group Policy Object and link it to an OU that has your Computer Account Objects in it (don't link it to an OU that your servers are in).

You need to create a restricted group named "Administrators" and specify the users and groups you want to be in the local admins group.  Your restricted group would most likely contain "yourdomain\domain admins" "yourdomain\domain users" and "LocalAdminAccount"
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 24129840
logon script - no.
startup script - yes. ;^)
0
 

Author Comment

by:TriCountyIT
ID: 24129888
:) Once again we have a problem.  It would be great if everyone shut there pc's off every night. We are a rural hospital and some computers dont get shut down so I am going to have to thros this in a startup script.  Maybe compile an exe that will start cmd prompt in run as administrator and then call this batch file?
0
 

Expert Comment

by:Severcorr
ID: 24130174
My preferred way of doing this would be via group policy using restricted groups. Here is a write up.

http://www.frickelsoft.net/blog/?p=13
Just make sure that Computer Accounts are moved from the default Computer OU becaue GPs cannot be applied there.  I used Restricted groups to give our IT support administrative rights on all domain computers, however, I guess it could be used to give "Domain Users" administrative rights on all computers.
Better hope that people don't know about C$ or people will be browsing everyone's computers.
0
 

Author Closing Comment

by:TriCountyIT
ID: 31569015
Thanks this worked
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 24364345
I'm a bit confused by your selected answer here, after posting "it worked" following my comment?
0
 

Author Comment

by:TriCountyIT
ID: 24364464
We ended up not going that route of making everyone an administrator.  I just wanted to give credit because it was a solution that would have worked for the question I posted.  I apologize I didnt see your comment on top.  how do I go back and give you points?
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Not long ago I saw a question in the VB Script forum that I thought would not take much time. You can read that question (Question ID  (http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_28455246.html)28455246) Here (http…
This is a video describing the growing solar energy use in Utah. This is a topic that greatly interests me and so I decided to produce a video about it.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now