Batch file to add current user to the Local Admin Group

bojangles714
bojangles714 used Ask the Experts™
on
I am looking for a batch file that will add the user logging in to that machines local administrators group. I have wrote a script but does not appear to be fully functional. It will only run properly if you are domain admin. The script I am running is
net localgroup Administrators /ADD "domain\%username%"

Open in new window


Is this incorrect?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
The reason you wont be able to do that is because to add a user to the admin group the user running the script needs to be an admin on the machine, which they arent.

If your adding any user that logs on as an admin to the machine then everyone will be an admin. So theoretically you could use a startup script or restricted group in group policy to give domain users admin access.

I dont think this is a good thing to do but it will do what your looking for.

You could use pstools to help.

using psloggedon you would be able to tell who's logged in

then using psexec, you could run your batch file on that PC as admin
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
I agree. You could even do that manually  - going to each machine, log in as admin, issue
net localgroup Administrators /add "domain\domain users"
-  or do it from remote, e.g. with psexec (www.systernals.com):
psexec @listofpcs -u domain\administrator -p Pwd ^
net localgroup Administrators /add "domain\domain users"
That then needs to be done only once.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Commented:
exactly... or rightclick mycomputer> manage> localusers >groups. Select adminitrators add domain users.

Commented:
Rather than explicitly adding each user, a comparatively better method would be to add the INTERACTIVE account to the local Administrators group.  This way users will have administrative privileges when the log onto the machine, but not when they access it over the network.

You could do this using Restricted Groups in group policy, or by running the command below in a script configured through the group policy node Computer Configuration\Windows Settings\Scripts\Startup.  Note that unlike logon scripts, startup scrips run under the local SYSTEM account and thus have access to modify membership in the Administrators group.


net localgroup administrators interactive /add

Open in new window

Author

Commented:
I will have to write a script then to do so. Thank you. I will be using psloggedon and psexec.

thanks
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
You are aware that psloggedon only can get you the user logged in *at that moment*?
Thanks for the grade
The command is correct however like xxdcmast said they will need to be an admin already.  You can use a script to open the cmd prompt as a different user that has admin rights and run the .bat file within that.  But I would use an encrypted script so the user cant accidently see the password

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial