Solved

How do I make everyone a local administrator on every PC on our network?

Posted on 2009-04-10
13
898 Views
Last Modified: 2012-06-21
i need to make everyone who logs into any of our 250 PC's a local administrator.  Which is the best way to do that through VBS or a batch file?  Thanks
0
Comment
Question by:TriCountyIT
13 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 24118216
http://www.msfn.org/board/lofiversion/index.php/t72395.html details how to accomplish this, but I must say I wouldn't recommend it.
What are you trying to accomplish that causes you to want this?
0
 
LVL 38

Accepted Solution

by:
Shift-3 earned 500 total points
ID: 24118226
You could use the command net localgroup administrators /add interactive in a startup script under the group policy node Computer Configuration\Windows Settings\Scripts\Startup.  This gives administrator rights to anybody who logs onto the machine interactively, but not to users who connect to it over the network.

You could also do this using the Restricted Groups feature.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 24120992
I have to agree with sirbounty... Why would you want to do this?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:TriCountyIT
ID: 24129617
There is a program that we run for our payroll hours.  It allows you to punch in on the PC.  The problem is they told us when we install the program the initial user has to be an administrator.  Everytime a new user logs in the first time to that program they  need to be an adminstrator.  That was bad enough, but now we found the user has to be an administrator to run the program everytime.  So we need a work around.  I dont like it any more than you guys do, but this is about our only option.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 24129649
-) The app designer made a boo-boo, it sounds like
-) Depending on 'what' admin creds are needed for, you may have other ways around this...

As an admin, right-click the app's program folder/properties (probably c:\program files\payroll appname) and choose security tab.  Add 'Everyone" Change ability.
(alternatively, do it from a command line using:
cacls "C:\Program Files\Payroll AppName" /e /t /g Everyone:C <Enter>

Next, you'd need to determine if admin creds are needed for any associated registry keys...  Locate those and similarly, right-click/properties and provide change permission for Everyone - ensuring that all subkeys are also updated.

If you need to determine registry access, you can grab a tool like process monitor (from MS - free tool) to monitor what access that app uses...
0
 

Author Comment

by:TriCountyIT
ID: 24129738
That worked!!  What would happen if I drop that script into a log on script.  Would it need administrative rights to run?
0
 
LVL 2

Expert Comment

by:jmirsky
ID: 24129758
I agree with sirbounty on this one.  I am following the same methods for our environment to be able to remove admin rights from our users.  Process Monitor is a great tool and helps a lot in the troubleshooting.  To answer your original question of how to make everyone a local admin (if you still want to do this) you could use restricted groups in a Group Policy.  

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

To accomplish this you will need to create a new Group Policy Object and link it to an OU that has your Computer Account Objects in it (don't link it to an OU that your servers are in).

You need to create a restricted group named "Administrators" and specify the users and groups you want to be in the local admins group.  Your restricted group would most likely contain "yourdomain\domain admins" "yourdomain\domain users" and "LocalAdminAccount"
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 24129840
logon script - no.
startup script - yes. ;^)
0
 

Author Comment

by:TriCountyIT
ID: 24129888
:) Once again we have a problem.  It would be great if everyone shut there pc's off every night. We are a rural hospital and some computers dont get shut down so I am going to have to thros this in a startup script.  Maybe compile an exe that will start cmd prompt in run as administrator and then call this batch file?
0
 

Expert Comment

by:Severcorr
ID: 24130174
My preferred way of doing this would be via group policy using restricted groups. Here is a write up.

http://www.frickelsoft.net/blog/?p=13
Just make sure that Computer Accounts are moved from the default Computer OU becaue GPs cannot be applied there.  I used Restricted groups to give our IT support administrative rights on all domain computers, however, I guess it could be used to give "Domain Users" administrative rights on all computers.
Better hope that people don't know about C$ or people will be browsing everyone's computers.
0
 

Author Closing Comment

by:TriCountyIT
ID: 31569015
Thanks this worked
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 24364345
I'm a bit confused by your selected answer here, after posting "it worked" following my comment?
0
 

Author Comment

by:TriCountyIT
ID: 24364464
We ended up not going that route of making everyone an administrator.  I just wanted to give credit because it was a solution that would have worked for the question I posted.  I apologize I didnt see your comment on top.  how do I go back and give you points?
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to remove superseded packages in windows w60 or w61 installation media (.wim) or online system to prevent unnecessary space. w60 means Windows Vista or Windows Server 2008. w61 means Windows 7 or Windows Server 2008 R2. There are various …
With User Account Control (UAC) enabled in Windows 7, one needs to open an elevated Command Prompt in order to run scripts under administrative privileges. Although the elevated Command Prompt accomplishes the task, the question How to run as script…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question