Creating a temporary local admin account for vendor for a group of computers

Posted on 2012-08-27
Last Modified: 2012-08-28
I'm very new to AD.  What I want to do is create a temporary local administrator account for a group of 5 computers that I can later rescind .  These would all have the same username and password.  The reason being is that our school has a vendor coming to set up 5 Smartboards and the associated software on 5 dedicated laptops. I want this person to have the rights to install the software and make sure everything works correctly.  I then want to delete this local administrator account when the job is done.

I know I can set up a temporary admin account on each computer but I am learning about the power of AD and would like to do the job once and have it affect those computers.

I am going to do the 1st step and set up a separate OU for these 5 computers. I was wondering if I could write a group policy that creates a local admin account on these computers with the same name and password?  As mentioned earlier, I am just learning about servers, AD, and GPO.

I also intend to leave this OU in place for future updates of software for these dedicated computers.  I appreciate any assistance.
Question by:Techman85
    LVL 39

    Expert Comment

    by:Krzysztof Pytko
    Yes sure. Create a standard domain user account for that company and create GPP (Group Policy Preferences) to apply it to that OU where 5 computers are located. Please check that

    if you have XP clients, you need to install Client Side Extension (CSE) first to be able to apply GPP

    after all, you can simply disable that user account in a domain and remove GPP from OU

    LVL 19

    Accepted Solution

    Create user in AD with admin privileges.
    In user properties set when account has to expire (Account tab), with this you do not forget to disable account, but will be disabled automatically.
    On the same tab (Account) click "Log on to ... " and set hostnames of your 5 PCs - this will ensure user will be able to login only on specified PCs

    This simple procedure does not need to create any policies and apply them, just one account and 2 settings for it. It should do all the work you expect.

    Author Comment

    Thanks for the suggestions.  I tried helpfinder's suggestion since it was simple and seemed to do everything I wanted.  I followed the steps and created a user with admin privileges and set the hostnames of the computers in the "Log on to" section.  Once I logged off and back on again, I was able to log on with the newly created user.

    However, when I tried to install a program, the UAC came on looking for credentials.  I typed in the username and password for my newly created account and got a message at the bottom, "The requested operation requires elevation".  I don't understand why that is since I set up the user with admin privileges in AD.  The target machines are Windows 7 Professional.
    LVL 19

    Expert Comment

    what is you try right click on the program and click "Run as Administrator" option?
    as option 2 you can try to turn off UAC for a while and check if your SW will be installed without problems with UAC turned off

    Author Comment

    I tried making it work by turning UAC off and also tried "Run as Administrator", but no luck. It seems that the Administrator permissions gets stripped when going from a "Built-in Administrator" in AD to a Local Administrator. This seems to be a Windows 7 behavior and might have to do with the default disabled Administrator account. I used helpfinder's solution which worked as far as making an account and limiting it to those 5 machines with an expiration date. (I'll see if the account expires on Friday). I then went in locally with my Domain Administrator account and added user "smart" as an administrator.  I have a deadline so I don't have time to work with this any longer.

    Featured Post

    Want to promote your upcoming event?

    Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

    Join & Write a Comment

    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now