• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 591
  • Last Modified:

Group Policy to join Domain_User to Local Administrator Gruop

Hello All,

i have more have 250 windows machines in our environment. All Domain_Users were used to login to their respective workstation (they doesn't have any admin rights on local machine).

now i got instructions from my manager to add every Domain_User to their local machine Administrator Group (only particular user who is using that machine that machine not all users).

i can able to create a GPO to add Domain_Users Group to local machine administrator group but, i don't know how to add only (specific) users who are logging in to that machine using GPO.

can any body help me out.

Thanks,
Rafi
0
hellosoft
Asked:
hellosoft
  • 5
  • 4
1 Solution
 
vaporvicCommented:
Startup script linked to GPO is the best option. This one should do the trick.

http://gallery.technet.microsoft.com/scriptcenter/aa9c2662-1861-4b93-9030-176844037bc7

hth

vic
0
 
hellosoftAuthor Commented:
Thanks Vic,

script looks very impressive.

Thanks,
R
0
 
vaporvicCommented:
good deal. if it works out for you please mark it as the solution.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
hellosoftAuthor Commented:
Sue Vic,

i have a doubt in this script. from the below line do i need to all add computer name (WINXP01) and username (User1) manually.

Case "WINXP01"
        objGroup.Add "WinNT://"& DomainName &"/User1" &"" 

Thanks,
R
0
 
vaporvicCommented:
yes, the script looks for the computer name match. tedious, but less tedious than logging onto 250 machines. ;-)
0
 
ChiefITCommented:
Please forewarn your boss, what you are doing is very dangerous to IT security. The user shouldn't have admin rights to a computer because then the user can make administrative edits to the computer's settings. This means, if the user downloads malware, the malicious ware can have its way with the user and computer, and potentially end up a domain problem.

If I were you, I would grant explicit rights for explicit functions using group policy. Then, if they need the ability to logon locally as a domain user without a connection, allow cached logons. I wouldn't take it further than that.

Personal information and trade secrets are lost this way.
0
 
hellosoftAuthor Commented:
Hello Vic,

Could you please tell me which are variables in the above script you given.
i am unable to using below script

on error resume next
 
Dim DomainName
 
Set net = WScript.CreateObject("WScript.Network")
 
ComputerName = net.ComputerName
DomainName = "rafi.local"
 
 
set objGroup = GetObject("WinNT://"& ComputerName &"/Administrators")
 
SELECT Case ComputerName
 
    Case "Client"
        objGroup.Add "WinNT://"& DomainName &"/hb.User1" &"" 
 
 
End Select
0
 
vaporvicCommented:
to ChiefIT: I would assume that he has been directed to do this by his boss.

to HelloSoft: It's not my script, I just found one that should work for you. Go the original link. Everything in read is a variable.
0
 
hellosoftAuthor Commented:
Thanks Vic
0
 
vaporvicCommented:
everything in red is a variable.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now