Solved

Adding Logged User to Local Administrator

Posted on 2012-03-15
6
218 Views
Last Modified: 2012-05-03
Hi Experts,

I would like to add a domain user to the local administrator group and then removed once they are logged off.

How can this be done within group policy?

Thanks in advance
0
Comment
Question by:introlux
  • 2
  • 2
  • 2
6 Comments
 
LVL 3

Expert Comment

by:Dhanesh Kansari
ID: 37724639
Machine Script Solution:
 
By combine Windows 2000/2003 GPO and creating a machine script, we can get
A good Solution to this problem, and by avoiding the problems that "Restrict Groups" option from Windows 2000/2003 GPO create.
 
 
The script structure:
 
 
    Script Name: Machine_Startup_Script.vbs (You can use any name that you like,
                                       But you need to verify that the file name suffix end with
                                       *.vbs).
 
    Operation Interval:  Each machine startup or/and shutdown.
 
 
'Beginning Of the Script
 
On Error Resume Next
 
'get main objects/variables
Set ws = WScript.CreateObject ( "WScript.Shell" )
compname = ws.ExpandEnvironmentStrings ( "%COMPUTERNAME%" )
Set adGrp = GetObject ( "WinNT://" & compname & "/Administrators,group" )
 
'add domain groups to local admin group
adGrp.Add ( "WinNT://mywindowsdomain/Domain Admins,group" )
 
'End of the Script
 
 
mywindowsdomain = The NetBIOS name of the Domain that the user workstation log into.
                                                   
Sentence that begin with " ' " use for a comment only.
 
After creating the script, we need add this script to Domain Default GPO – as
 Computer startup or/and shutdown script and we done.
0
 
LVL 3

Expert Comment

by:Dhanesh Kansari
ID: 37724645
I usually use scripts like this as part of the workstation build process as it requires local administrator rights. However if your users are local admins it makes it possible to run or call the script below through their login script.

Substitute your domain name for the word DOMAINNAME. You can also use this script to add other domain groups to local groups (eg create a domain group LOCALPOWER, modify GROUPSTRING to be the name of the local group to add members to (eg "Power Users", and edit line starting with groupobj.add so the LOCALPOWER group is add instead of "Domain Admins" to the local computer group. This lets you control people with power user rights without visiting the desktop).

The on error resume next line ensures that if for some reason the script cannot be run (eg insufficient rights) it does not hang or notify of a problem. Cut and paste the text between the lines as a *.vbs file:

_________________________
Dim WSHShell, WshSysEnv
Set WshShell = WScript.CreateObject("WScript.Shell")
Set WshSysEnv = WshShell.Environment("PROCESS")
On Error Resume Next

UserString = WshSysEnv("COMPUTERNAME")

GroupString = "Administrators"
Set GroupObj = GetObject("WinNT://" & UserString & "/" & GroupString)
GroupObj.Add ("WinNT://DOMAINNAME/Domain Admins")
Set GroupObj = Nothing

Set WshShell = Nothing
Set WshSysEnv = Nothing
Wscript.Quit
_____________________________
0
 
LVL 11

Expert Comment

by:sysreq2000
ID: 37724650
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:introlux
ID: 37728590
Hi,

I would prefer to do it via group policy rather than using a script. I have tried to use the script and it does not seem to work. I have also tried following the last GP tutorial but I am somewhat confused.

Basically I would like to add the user to the Admin group or NT Group. I need the user the have enough permissions to add/remove software, remote desktop on their computer. I am aware being admin may give them too much permission.

Can you please advise.

Thanks.
0
 
LVL 11

Accepted Solution

by:
sysreq2000 earned 500 total points
ID: 37729524
If you don't have your computers set in an OU it would be a good idea to do that for the users in question. Also since you've never done this before you might be wise to create an OU for testing first.

Here's another good step by step guide:


http://groups.google.com/group/microsoft.public.windows.msi/browse_thread/thread/3bfaf8d52a0f8650/2a6c9d07514c3d18?q=group+policy+local+administrator&_done=%2Fgroups%3Fq%3Dgroup+policy+local+administrator%26start%3D20%26hl%3Den%26lr%3D%26&_doneTitle=Back+to+Search&&d

Start Active Directory Users and Computers from any domain controller.
Create an organizational unit, and then move all of the appropriate
workstations and member servers to that organizational unit. Create a global
group in that organizational unit, and then add the appropriate users to
that group.


IMPORTANT: Complete the remaining steps from a Windows 2003-based member
server or a Windows 2000/XP Professional-based workstation with the Adminpak
installed.
Start Active Directory Users and Computers, right-click the organizational
unit, and then click Properties.
Click the Group Policy tab, click NEW, and then name the policy.
Click the policy, and then click Edit.
Right-click Restricted Groups (under Computer Configuration\Windows
Settings\Security Settings\Restricted Groups), and then click Add Group.
Click Browse. Focused on the local computer, click the group to which you
want your global group to be a member (in this case, the "Administrators"
group), click ADD, and then click OK. You are returned to the group policy
and you see the administrators group listed in the Restricted Groups window.
Right-click the group, and then click Security.
To the right side of the Members of this Group box, click ADD, and then
click Browse.
Locate the group in the organizational unit that you want to place in the
administrators group, and then add it the group. After you do so, close the
group policy.
At a command prompt, type gpupdate /force, and then press ENTER.
0
 

Author Comment

by:introlux
ID: 37747219
So can you not just add the current logged on user into the Administrators group then? It has worked with the Windows 7 machines but it does not seem to work with XP workstations using group policy.

I added this in the restricted user config area and it worked for Windows 7 but not XP.

Any idea?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange sendin sPAMs to Smart Host 2 23
exchange, 2 19
SBS 2003 RWW Login 3 19
exchange 2013 2 19
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now