Link to home
Start Free TrialLog in
Avatar of bojangles714
bojangles714Flag for United States of America

asked on

Batch file to add current user to the Local Admin Group

I am looking for a batch file that will add the user logging in to that machines local administrators group. I have wrote a script but does not appear to be fully functional. It will only run properly if you are domain admin. The script I am running is
net localgroup Administrators /ADD "domain\%username%"

Open in new window


Is this incorrect?
Avatar of Joseph Daly
Joseph Daly
Flag of United States of America image

The reason you wont be able to do that is because to add a user to the admin group the user running the script needs to be an admin on the machine, which they arent.

If your adding any user that logs on as an admin to the machine then everyone will be an admin. So theoretically you could use a startup script or restricted group in group policy to give domain users admin access.

I dont think this is a good thing to do but it will do what your looking for.

ASKER CERTIFIED SOLUTION
Avatar of netcmh
netcmh
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I agree. You could even do that manually  - going to each machine, log in as admin, issue
net localgroup Administrators /add "domain\domain users"
-  or do it from remote, e.g. with psexec (www.systernals.com):
psexec @listofpcs -u domain\administrator -p Pwd ^
net localgroup Administrators /add "domain\domain users"
That then needs to be done only once.
exactly... or rightclick mycomputer> manage> localusers >groups. Select adminitrators add domain users.
Rather than explicitly adding each user, a comparatively better method would be to add the INTERACTIVE account to the local Administrators group.  This way users will have administrative privileges when the log onto the machine, but not when they access it over the network.

You could do this using Restricted Groups in group policy, or by running the command below in a script configured through the group policy node Computer Configuration\Windows Settings\Scripts\Startup.  Note that unlike logon scripts, startup scrips run under the local SYSTEM account and thus have access to modify membership in the Administrators group.


net localgroup administrators interactive /add

Open in new window

Avatar of bojangles714

ASKER

I will have to write a script then to do so. Thank you. I will be using psloggedon and psexec.

thanks
You are aware that psloggedon only can get you the user logged in *at that moment*?
Thanks for the grade
Avatar of RTSCCFLAX
RTSCCFLAX

The command is correct however like xxdcmast said they will need to be an admin already.  You can use a script to open the cmd prompt as a different user that has admin rights and run the .bat file within that.  But I would use an encrypted script so the user cant accidently see the password