AvacadoGreen
asked on
Server 2003 Group Policy to Add Local Admin User
I have a fully patched 2003 r2 x64 server (including the Group Policy Extensions patch) that's joined to an AD domain. I'd like to create a group policy to create a new local user and add it to the Built-In Administrators group. I have a policy that works fine for 2008 and later servers, but not for 2003 servers. Does anyone have a suggestions on how to do this? Thanks!
Are you trying to add several domain users from a particular group to be local admins on this server?
Just assigning a startup script should be easy enough to do. (note - this is a machine level startup script, not a user logon script).
That's pretty much it.. once the users are created, you can modify those local accounts yourself with a similar command to keep the users from being able to discover the password.
To change it after the fact, you can grab a copy of psexec.exe from Microsoft (http://technet.microsoft.c om/en-us/s ysinternal s/bb897553
Create a list of your machines (just the names). And of course, you'll do this from your own machine.
There are plenty of other scripting languages that can accomplish the same thing.
Coralon
@echo off
for /f "tokens=1,2*" %%f in ('reg query hklm\software\MyTestKey /v MyTestValue') do if %%f == ERROR: (net user MyUser MyUser-Password && net localgroup administrators MyUser /add && reg add hklm\Software\MyTestKey /v MyTestValue /d 1 /t REG_DWORD)
That's pretty much it.. once the users are created, you can modify those local accounts yourself with a similar command to keep the users from being able to discover the password.
To change it after the fact, you can grab a copy of psexec.exe from Microsoft (http://technet.microsoft.c
Create a list of your machines (just the names). And of course, you'll do this from your own machine.
psexec.exe @serverlist.txt -h cmd.exe /c net user MyUser MyUserNewPassword
There are plenty of other scripting languages that can accomplish the same thing.
Coralon
You could create a script with the following.
cmd /c net localgruup "Administrators" "Domain\LocalAdmin" /add
net localgroup LocalAdmin password | *
This will allow you to create the user account and set the password.
Here also more info on net user http://support.microsoft.com/kb/251394
CT
Then reset the password for the LocalAdmin
user.
You can also use.
cmd /c net localgruup "Administrators" "Domain\LocalAdmin" /add
net localgroup LocalAdmin password | *
This will allow you to create the user account and set the password.
Here also more info on net user http://support.microsoft.com/kb/251394
CT
Then reset the password for the LocalAdmin
user.
You can also use.
Using GPO this show you how to create a group, add users to that group, and then add that group to the local admin user group. http://myitforum.com/cs2/blogs/rdixon/archive/2008/06/17/how-to-add-domain-accounts-to-local-administrators-group-using-gpo.aspx
ASKER
The biggest concern I have is with users being able to view scripts containing passwords for accounts with administrative-level permissions. Are there any solutions that don't require typing the password out in plain-text? Or is there a way to prevent users from viewing the account creation script without locking computers out of the group policy/script?
My script will ask for password and does not show it on the screen.
CT
CT
ASKER
Thanks for the help CT. How would you suggest applying your script across multiple 2003 servers? Sorry for not specifying that earlier, but I'm looking for a scalable solution to apply across many 2003 servers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.