Solved

Server 2003 Group Policy to Add Local Admin User

Posted on 2014-04-30
8
1,883 Views
Last Modified: 2014-05-07
I have a fully patched 2003 r2 x64 server (including the Group Policy Extensions patch) that's joined to an AD domain.  I'd like to create a group policy to create a new local user and add it to the Built-In Administrators group.  I have a policy that works fine for 2008 and later servers, but not for 2003 servers.   Does anyone have a suggestions on how to do this?  Thanks!
0
Comment
Question by:AvacadoGreen
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 40033775
Are you trying to add several domain users from a particular group to be local admins on this server?
0
 
LVL 23

Expert Comment

by:Coralon
ID: 40033813
Just assigning a startup script should be easy enough to do.   (note - this is a machine level startup script, not a user logon script).

@echo off
for /f "tokens=1,2*" %%f in ('reg query hklm\software\MyTestKey /v MyTestValue') do if %%f == ERROR: (net user MyUser MyUser-Password && net localgroup administrators MyUser /add && reg add hklm\Software\MyTestKey /v MyTestValue /d 1 /t REG_DWORD)

Open in new window


That's pretty much it.. once the users are created, you can modify those local accounts yourself with a similar command to keep the users from being able to discover the password.  

To change it after the fact, you can grab a copy of psexec.exe from Microsoft (http://technet.microsoft.com/en-us/sysinternals/bb897553

Create a list of your machines (just the names).  And of course, you'll do this from your own machine.

psexec.exe @serverlist.txt -h cmd.exe /c net user MyUser MyUserNewPassword

Open in new window


There are plenty of other scripting languages that can accomplish the same thing.  

Coralon
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 40033817
You could create a script with the following.

 cmd /c net localgruup "Administrators" "Domain\LocalAdmin" /add
net localgroup LocalAdmin password | *

This will allow you to create the user account and set the password.

Here also more info on net user http://support.microsoft.com/kb/251394

CT

Then reset the password for the LocalAdmin
user.



You can also use.
0
 
LVL 24

Expert Comment

by:lionelmm
ID: 40034385
Using GPO this show you how to create a group, add users to that group, and then add that group to the local admin user group. http://myitforum.com/cs2/blogs/rdixon/archive/2008/06/17/how-to-add-domain-accounts-to-local-administrators-group-using-gpo.aspx
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 

Author Comment

by:AvacadoGreen
ID: 40034494
The biggest concern I have is with users being able to view scripts containing passwords for accounts with administrative-level permissions.  Are there any solutions that don't require typing the password out in plain-text?  Or is there a way to prevent users from viewing the account creation script without locking computers out of the group policy/script?
0
 
LVL 23

Expert Comment

by:ComputerTechie
ID: 40034509
My script will ask for password and does not show it on the screen.  

CT
0
 

Author Comment

by:AvacadoGreen
ID: 40034537
Thanks for the help CT.  How would you suggest applying your script across multiple 2003 servers?  Sorry for not specifying that earlier, but I'm looking for a scalable solution to apply across many 2003 servers.
0
 
LVL 23

Accepted Solution

by:
Coralon earned 500 total points
ID: 40036150
The problem is going to be that most scripting solutions don't allow you to transmit a password in the script, because of security concerns, hence my thought about changing the passwords after the fact.  

Again, start with your list of machines, and create this vbscript file
Option Explicit

Dim sPassword, sRandom, sRandomPassCharCount
Dim iMin, iMax, iAscii, i
Dim sUserName
Dim wshShell
Dim sCommand

iMin=16
iMax=32
sRandomPassCharCount = Int((iMax-iMin+1)*Rnd+iMin)
'The password will be this many characters long

sPassword = ""
For i = 1 To sRandomPassCharCount
	iMin = 65
	iMax = 122
	iAscii = Int((iMax - iMin+1) * Rnd()+iMin)
	sPassword = sPassword + Chr(iAscii)
Next 

Set wshShell = CreateObject("WScript.Shell")

sCommand = "cmd.exe /c net user " + sUserName + " " + sPassword + " /add"
wshShell.Exec(sCommand)

sCommand = "cmd.exe /c net localgroup administrators sUserName /add"
wshShell.Run sCommand, 0, vbFalse

Set wshShell = Nothing

Open in new window


Then use your psexec command again.
for /f %%f in (servers.txt) do copy CreateLocalUser.vbs \\%%f\c$\windows\temp
for /f %%f in (servers.txt) do psexec -accepteula \\%%f cscript.exe //i c:\Windows\Temp\CreateLocalUser.vbs 

Open in new window

That should do it.  The first step of your master batch file copies the createlocaluser.vbs script to the c:\windows\temp directory on each of the servers.
The vbscript generates a random password on the fly, and then creates the user with that password.  The password only exists in RAM, so it's never visible.  Obviously, to use this account you'll need to remotely change the password after the fact, and that is a similar command:
for /f %%f in (serverlist.txt) do psexec \\%%f net user <username> <newpassword>

Open in new window

That one needs to be done interactively, so that the password is never visible.

Coralon
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now