?
Solved

Group Policy to join Domain_User to Local Administrator Gruop

Posted on 2012-09-13
10
Medium Priority
?
581 Views
Last Modified: 2012-09-17
Hello All,

i have more have 250 windows machines in our environment. All Domain_Users were used to login to their respective workstation (they doesn't have any admin rights on local machine).

now i got instructions from my manager to add every Domain_User to their local machine Administrator Group (only particular user who is using that machine that machine not all users).

i can able to create a GPO to add Domain_Users Group to local machine administrator group but, i don't know how to add only (specific) users who are logging in to that machine using GPO.

can any body help me out.

Thanks,
Rafi
0
Comment
Question by:hellosoft
  • 5
  • 4
10 Comments
 
LVL 1

Accepted Solution

by:
vaporvic earned 2000 total points
ID: 38394439
Startup script linked to GPO is the best option. This one should do the trick.

http://gallery.technet.microsoft.com/scriptcenter/aa9c2662-1861-4b93-9030-176844037bc7

hth

vic
0
 

Author Comment

by:hellosoft
ID: 38394472
Thanks Vic,

script looks very impressive.

Thanks,
R
0
 
LVL 1

Expert Comment

by:vaporvic
ID: 38394481
good deal. if it works out for you please mark it as the solution.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 

Author Comment

by:hellosoft
ID: 38394642
Sue Vic,

i have a doubt in this script. from the below line do i need to all add computer name (WINXP01) and username (User1) manually.

Case "WINXP01"
        objGroup.Add "WinNT://"& DomainName &"/User1" &"" 

Thanks,
R
0
 
LVL 1

Expert Comment

by:vaporvic
ID: 38394669
yes, the script looks for the computer name match. tedious, but less tedious than logging onto 250 machines. ;-)
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 38402785
Please forewarn your boss, what you are doing is very dangerous to IT security. The user shouldn't have admin rights to a computer because then the user can make administrative edits to the computer's settings. This means, if the user downloads malware, the malicious ware can have its way with the user and computer, and potentially end up a domain problem.

If I were you, I would grant explicit rights for explicit functions using group policy. Then, if they need the ability to logon locally as a domain user without a connection, allow cached logons. I wouldn't take it further than that.

Personal information and trade secrets are lost this way.
0
 

Author Comment

by:hellosoft
ID: 38404578
Hello Vic,

Could you please tell me which are variables in the above script you given.
i am unable to using below script

on error resume next
 
Dim DomainName
 
Set net = WScript.CreateObject("WScript.Network")
 
ComputerName = net.ComputerName
DomainName = "rafi.local"
 
 
set objGroup = GetObject("WinNT://"& ComputerName &"/Administrators")
 
SELECT Case ComputerName
 
    Case "Client"
        objGroup.Add "WinNT://"& DomainName &"/hb.User1" &"" 
 
 
End Select
0
 
LVL 1

Expert Comment

by:vaporvic
ID: 38405183
to ChiefIT: I would assume that he has been directed to do this by his boss.

to HelloSoft: It's not my script, I just found one that should work for you. Go the original link. Everything in read is a variable.
0
 

Author Closing Comment

by:hellosoft
ID: 38405218
Thanks Vic
0
 
LVL 1

Expert Comment

by:vaporvic
ID: 38405229
everything in red is a variable.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question