• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 917
  • Last Modified:

How do I make everyone a local administrator on every PC on our network?

i need to make everyone who logs into any of our 250 PC's a local administrator.  Which is the best way to do that through VBS or a batch file?  Thanks
0
TriCountyIT
Asked:
TriCountyIT
1 Solution
 
sirbountyCommented:
http://www.msfn.org/board/lofiversion/index.php/t72395.html details how to accomplish this, but I must say I wouldn't recommend it.
What are you trying to accomplish that causes you to want this?
0
 
Shift-3Commented:
You could use the command net localgroup administrators /add interactive in a startup script under the group policy node Computer Configuration\Windows Settings\Scripts\Startup.  This gives administrator rights to anybody who logs onto the machine interactively, but not to users who connect to it over the network.

You could also do this using the Restricted Groups feature.
0
 
johnb6767Commented:
I have to agree with sirbounty... Why would you want to do this?
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
TriCountyITAuthor Commented:
There is a program that we run for our payroll hours.  It allows you to punch in on the PC.  The problem is they told us when we install the program the initial user has to be an administrator.  Everytime a new user logs in the first time to that program they  need to be an adminstrator.  That was bad enough, but now we found the user has to be an administrator to run the program everytime.  So we need a work around.  I dont like it any more than you guys do, but this is about our only option.
0
 
sirbountyCommented:
-) The app designer made a boo-boo, it sounds like
-) Depending on 'what' admin creds are needed for, you may have other ways around this...

As an admin, right-click the app's program folder/properties (probably c:\program files\payroll appname) and choose security tab.  Add 'Everyone" Change ability.
(alternatively, do it from a command line using:
cacls "C:\Program Files\Payroll AppName" /e /t /g Everyone:C <Enter>

Next, you'd need to determine if admin creds are needed for any associated registry keys...  Locate those and similarly, right-click/properties and provide change permission for Everyone - ensuring that all subkeys are also updated.

If you need to determine registry access, you can grab a tool like process monitor (from MS - free tool) to monitor what access that app uses...
0
 
TriCountyITAuthor Commented:
That worked!!  What would happen if I drop that script into a log on script.  Would it need administrative rights to run?
0
 
jmirskyCommented:
I agree with sirbounty on this one.  I am following the same methods for our environment to be able to remove admin rights from our users.  Process Monitor is a great tool and helps a lot in the troubleshooting.  To answer your original question of how to make everyone a local admin (if you still want to do this) you could use restricted groups in a Group Policy.  

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

To accomplish this you will need to create a new Group Policy Object and link it to an OU that has your Computer Account Objects in it (don't link it to an OU that your servers are in).

You need to create a restricted group named "Administrators" and specify the users and groups you want to be in the local admins group.  Your restricted group would most likely contain "yourdomain\domain admins" "yourdomain\domain users" and "LocalAdminAccount"
0
 
sirbountyCommented:
logon script - no.
startup script - yes. ;^)
0
 
TriCountyITAuthor Commented:
:) Once again we have a problem.  It would be great if everyone shut there pc's off every night. We are a rural hospital and some computers dont get shut down so I am going to have to thros this in a startup script.  Maybe compile an exe that will start cmd prompt in run as administrator and then call this batch file?
0
 
SevercorrCommented:
My preferred way of doing this would be via group policy using restricted groups. Here is a write up.

http://www.frickelsoft.net/blog/?p=13
Just make sure that Computer Accounts are moved from the default Computer OU becaue GPs cannot be applied there.  I used Restricted groups to give our IT support administrative rights on all domain computers, however, I guess it could be used to give "Domain Users" administrative rights on all computers.
Better hope that people don't know about C$ or people will be browsing everyone's computers.
0
 
TriCountyITAuthor Commented:
Thanks this worked
0
 
sirbountyCommented:
I'm a bit confused by your selected answer here, after posting "it worked" following my comment?
0
 
TriCountyITAuthor Commented:
We ended up not going that route of making everyone an administrator.  I just wanted to give credit because it was a solution that would have worked for the question I posted.  I apologize I didnt see your comment on top.  how do I go back and give you points?
0

Featured Post

Take Control of Web Hosting For Your Clients

As a web developer or IT admin, successfully managing multiple client accounts can be challenging. In this webinar we will look at the tools provided by Media Temple and Plesk to make managing your clients’ hosting easier.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now