Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Server 2003 Group Policy to Add Local Admin User

Posted on 2014-04-30
8
1,924 Views
Last Modified: 2014-05-07
I have a fully patched 2003 r2 x64 server (including the Group Policy Extensions patch) that's joined to an AD domain.  I'd like to create a group policy to create a new local user and add it to the Built-In Administrators group.  I have a policy that works fine for 2008 and later servers, but not for 2003 servers.   Does anyone have a suggestions on how to do this?  Thanks!
0
Comment
Question by:AvacadoGreen
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40033775
Are you trying to add several domain users from a particular group to be local admins on this server?
0
 
LVL 25

Expert Comment

by:Coralon
ID: 40033813
Just assigning a startup script should be easy enough to do.   (note - this is a machine level startup script, not a user logon script).

@echo off
for /f "tokens=1,2*" %%f in ('reg query hklm\software\MyTestKey /v MyTestValue') do if %%f == ERROR: (net user MyUser MyUser-Password && net localgroup administrators MyUser /add && reg add hklm\Software\MyTestKey /v MyTestValue /d 1 /t REG_DWORD)

Open in new window


That's pretty much it.. once the users are created, you can modify those local accounts yourself with a similar command to keep the users from being able to discover the password.  

To change it after the fact, you can grab a copy of psexec.exe from Microsoft (http://technet.microsoft.com/en-us/sysinternals/bb897553

Create a list of your machines (just the names).  And of course, you'll do this from your own machine.

psexec.exe @serverlist.txt -h cmd.exe /c net user MyUser MyUserNewPassword

Open in new window


There are plenty of other scripting languages that can accomplish the same thing.  

Coralon
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 40033817
You could create a script with the following.

 cmd /c net localgruup "Administrators" "Domain\LocalAdmin" /add
net localgroup LocalAdmin password | *

This will allow you to create the user account and set the password.

Here also more info on net user http://support.microsoft.com/kb/251394

CT

Then reset the password for the LocalAdmin
user.



You can also use.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 25

Expert Comment

by:Lionel MM
ID: 40034385
Using GPO this show you how to create a group, add users to that group, and then add that group to the local admin user group. http://myitforum.com/cs2/blogs/rdixon/archive/2008/06/17/how-to-add-domain-accounts-to-local-administrators-group-using-gpo.aspx
0
 

Author Comment

by:AvacadoGreen
ID: 40034494
The biggest concern I have is with users being able to view scripts containing passwords for accounts with administrative-level permissions.  Are there any solutions that don't require typing the password out in plain-text?  Or is there a way to prevent users from viewing the account creation script without locking computers out of the group policy/script?
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 40034509
My script will ask for password and does not show it on the screen.  

CT
0
 

Author Comment

by:AvacadoGreen
ID: 40034537
Thanks for the help CT.  How would you suggest applying your script across multiple 2003 servers?  Sorry for not specifying that earlier, but I'm looking for a scalable solution to apply across many 2003 servers.
0
 
LVL 25

Accepted Solution

by:
Coralon earned 500 total points
ID: 40036150
The problem is going to be that most scripting solutions don't allow you to transmit a password in the script, because of security concerns, hence my thought about changing the passwords after the fact.  

Again, start with your list of machines, and create this vbscript file
Option Explicit

Dim sPassword, sRandom, sRandomPassCharCount
Dim iMin, iMax, iAscii, i
Dim sUserName
Dim wshShell
Dim sCommand

iMin=16
iMax=32
sRandomPassCharCount = Int((iMax-iMin+1)*Rnd+iMin)
'The password will be this many characters long

sPassword = ""
For i = 1 To sRandomPassCharCount
	iMin = 65
	iMax = 122
	iAscii = Int((iMax - iMin+1) * Rnd()+iMin)
	sPassword = sPassword + Chr(iAscii)
Next 

Set wshShell = CreateObject("WScript.Shell")

sCommand = "cmd.exe /c net user " + sUserName + " " + sPassword + " /add"
wshShell.Exec(sCommand)

sCommand = "cmd.exe /c net localgroup administrators sUserName /add"
wshShell.Run sCommand, 0, vbFalse

Set wshShell = Nothing

Open in new window


Then use your psexec command again.
for /f %%f in (servers.txt) do copy CreateLocalUser.vbs \\%%f\c$\windows\temp
for /f %%f in (servers.txt) do psexec -accepteula \\%%f cscript.exe //i c:\Windows\Temp\CreateLocalUser.vbs 

Open in new window

That should do it.  The first step of your master batch file copies the createlocaluser.vbs script to the c:\windows\temp directory on each of the servers.
The vbscript generates a random password on the fly, and then creates the user with that password.  The password only exists in RAM, so it's never visible.  Obviously, to use this account you'll need to remotely change the password after the fact, and that is a similar command:
for /f %%f in (serverlist.txt) do psexec \\%%f net user <username> <newpassword>

Open in new window

That one needs to be done interactively, so that the password is never visible.

Coralon
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question