Solved

Create local administrator account on client computer in Server 2003 domain environment

Posted on 2014-09-18
35
179 Views
Last Modified: 2015-02-10
Hi,

Despite googling and researching for solid 2 hours, i have not manged to find any promising solution.

I have MS Windows Server 2003 domain environment with around 60 client computers running on windows 7 pro. Built in administrator local account on these windows 7 machine are disable.

I'm trying to add a local administrator account called < admin> and set a passwword for it.

Can some one help or give me some pointers? GPO would be preferable...

Many thanks in advance
0
Comment
Question by:Danbrasco
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 16
  • 8
  • 6
  • +3
35 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 40330134
You mean you would like to create an account on the machine and then add it to the administrators group? The only way possible i can think of is using a PS script.

What you can do with policies is create a domain account and add this domain account to the local administrators group of all machines using a GPO, might that be feasible??
0
 

Author Comment

by:Danbrasco
ID: 40330174
yes but on the local windows 7 computer. can give me more info about PS script pls.

I believe you are suggesting restricted policies in GPO. This will be not a local account, it will be domain account with local admin privilege. so this is not for me.
0
 
LVL 3

Expert Comment

by:TropicalBound
ID: 40330181
The "Net User" and "Net LocalGroup" commands are what you want.

net user admin password <-- Creates the local account
net localgroup administrators /add admin <-- adds the account to the local administrators group

Put both of these commands in a batch file.  Use a GPO to run the script at startup.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 9

Expert Comment

by:Zacharia Kurian
ID: 40330188
follow the steps;

1.Open Group Policy Management

2.Create a new Group Policy Object called “Local Users Login Account” and link it to the appropriate OU.

3. Open up the newly created GPO called “Local Users Login Account”.

4. Under the User Configuration Node, Select Preferences, Control Panel Settings, Local Users and Groups. Then Right Click and select New, Local User

5. In Action, Select Update. User name will be “your defined name". Under Full name, type in a descriptive name. Select a password in Password and Confirm Password, and Uncheck User must change password at next logon, and check Password never expires. Leave Account never expires checked. Click on OK.

6. Now go to the Computer Configuration Node, and select Preferences, Control Panel Settings, Local Users and Groups. Right click and select New, Local Group.

7. Under Action, select Update, in Group name, select Administrators (built-in), and then click on Add under Members. In the Add box, type in “your defined name" for the name and click OK. Now Click on OK again.

Now wait for the group policy to update. If you don’t want to wait, you can open up a command prompt on a workstation and type “gpupdate /force”

if you see the user being created but not added to the local administrators group, take a look at where you are assigning the GPO to. Ensure you are assigning it to User objects and Computer Objects.

 for details please  see the attached
create-admin-account-via-gpo.JPG
0
 

Author Comment

by:Danbrasco
ID: 40330200
Hi TropicalBound,

This batch file would be applied to user or computer in GPO?

If so to users, how do i run it as administrator? doesn't work other wise.

Thanks
0
 

Author Comment

by:Danbrasco
ID: 40330202
Hi Zacharia Kurian,

Option you suggested applies to server 2008 and above
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
ID: 40330206
Forgot to mention this;

Hope your GPO is stored in  central store and you have added the windows vista/windows 7 admx. If not follow the below link;


http://technet.microsoft.com/en-us/library/cc766208%28WS.10%29.aspx
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40330243
I'd suggest looking at this script, it might just work for waht you need. Also make sure to run the script at startup.

http://blogs.technet.com/b/heyscriptingguy/archive/2010/11/23/use-powershell-to-create-local-user-accounts.aspx

@Tropical. I never heard of this command line tool (never to old to learn) and googled it but it says that this is only intended for server versions, not workstation. Am i misinterpreting it?
0
 

Author Comment

by:Danbrasco
ID: 40330270
just to make it my scenario clear, i have 1 dc running on Server 2003 and 60 client on windows 7 pro.

rhandels, your suggestion, is it still applicable?
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40330294
Yes it is.. Even with W7 and Server 2003.. Create the PS script that creates a user, add a policy to the computers OU (preferably test with 1 machine) and run the script at startup.

I would test it on 1 machine manually though so you are 100% sure the script functions properly.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
ID: 40330322
Here you have a problem, creating a user or enabling the admin and setting password is not available in server 2003 and no longer available in 2008. You can create a script to do this, but you are looking at sending everything clear text. Tropical's solution does work in a startup batch script.
0
 

Author Comment

by:Danbrasco
ID: 40330343
thanks rhandels, i'm gonna try it for sure.

Do i apply the script on start up under the computer configuration or User Configuration?

Also, i just want to setup one local user called admin ( with administrative privileged )and set the password as Pa55word123 . Just to save some time and effort, can you edit the ps and post, this will be every helpful.

Cheers
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40330383
<<Do i apply the script on start up under the computer configuration or User Configuration?>>

Nope, you need to add it to the computer configuration and then startup. In user configuration you can only do logon or logoff.. Also assign the GPO to the OU were the computer accounts reside..

<<Also, i just want to setup one local user called admin ( with administrative privileged )and set the password as Pa55word123 . Just to save some time and effort, can you edit the ps and post, this will be every helpful.>>

I would suggest trying to do it yourself so you get a feeling on how it works. Also, I am really really not interested in the passwords you will be using :) :)
0
 

Author Comment

by:Danbrasco
ID: 40330417
thanks for the getting back but i can find the setup you are talking about. check the screeshot
screencapture.JPG
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40330452
You need to add the script into the startup/shutdown option.. It's directly below Windows Settings (the white text document)
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
ID: 40330754
I would still suggest you to update your gpo central store with windows vista and windows 7  admx and try the group policy. I am wondering how you are managing your windows 7 clients through windows 2003 domain without updating your central gpo store.
0
 

Author Comment

by:Danbrasco
ID: 40330792
rhandels, i ran the ps and getting follwoing error

A value for $user and $password is required.

       Try this: CreateLocalUser.ps1 -help ?
At C:\Users\tseringd\Desktop\CreateLocalUser.ps1:87 char:15
+        $(Throw <<<<  'A value for $user and $password is required.
    + CategoryInfo          : OperationStopped: (A value for $us...ser.ps1 -help ?:String) [],
 RuntimeException
    + FullyQualifiedErrorId : A value for $user and $password is required.

       Try this: CreateLocalUser.ps1 -help ?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40331564
This problem is easy. In ADUC, create admin, also create a group locadmins. Use restricted groups to add that group locadmin to local administrators.
The problem with start scripts is, they can be accessed from the computer accounts, that means local administrators will be able to impersonate system, read your script in plain text and own all client machines at once.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40332042
Allthough i do agree with you McKnife i believe he wanted to have an admin on the local machine and not a domain account.

But looking at it this just might be the better idea to do create the domain account and add it into the local administrators group.

And looking at the error Dan it looks like you do need to add a username and password value into the script.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40332076
> he wanted to have an admin on the local machine and not a domain account
If so, why would that admin have the same name and password? That would be no difference, security wise, if we take a domain account or a local admin, both would be able to logon to all.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40332081
> he wanted to have an admin on the local machine and not a domain account
If so, why would that admin have the same name and password? That would be no difference, security wise, if we take a domain account or a local admin, both would be able to logon to all.

I believe he wanted to name the account admin instead of administrator but even so.. I do agree with you that it would be wiser to create a domain account ( and that much easier :)) to get this working..
0
 

Author Comment

by:Danbrasco
ID: 40332233
Hi,
To Experts who suggested to create a domain user and make it local admin and implement restricted group gpo. I understand your point and this is already in place and implemented. Reason why  i'm trying to create a local user with local administrative privilege is that i had few instances where client got disconnected from domain and only way to logon to that terminal is by using some local credential.

So, i need to find that way to create a local admin user on all the windows 7 machines in a domain environment with Server 2003 as the DC
0
 

Author Comment

by:Danbrasco
ID: 40332260
Rhandels,

computer name will be different for all the computer.

Where in the ps script should i assign the username and password value?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40332291
Having a common administrative account that uses the same password everywhere is quite risky. I advise you to use the following script instead:
net user /add admin /random && net localgroup administrators /add admin >\\server\adminshare\%computername%.txt

Open in new window


The resultant textfile will look like this:
net user /add admin /random && net localgroup administrators /add admin
Password for admin is: 0gZ871a-
The command completed successfully.
The command completed successfully.

The random option creates a random password. It consists of 8 random characters. You will have the text files as a reference.
0
 

Author Comment

by:Danbrasco
ID: 40332324
Ok, rhandels and other experts,

I created the ps1 script suggest in following blog

http://blogs.technet.com/b/heyscriptingguy/archive/2010/11/23/use-powershell-to-create-local-user-accounts.aspx

Tested on local machine and it works fine. Only that i have to type .\CreateLocalUser.ps1 -user admin -password Pa55word123

However, when i setup to run at start up using GPO, theres been no joy.

any help or pointers
0
 

Author Comment

by:Danbrasco
ID: 40332334
i'm putting a screenshot gpo i'm currently using with parameters. Please correct me if i'm wrong
screencapture1.JPG
0
 
LVL 23

Expert Comment

by:rhandels
ID: 40332353
Did you add the GPO to the OU where the machines reside? Also, after adding this did you do a gpupdate /force.

Also, but this is indeed your own risk. It would be wise to choose a random password or at least something mote restrictive besides what you are using now. At least 20 characters.
0
 

Author Comment

by:Danbrasco
ID: 40332356
McKnife, I've already tried your net command batch script. It works fine on admin elevated cli ( when done locally on the computer) But when i run the script ( logon ) in GPO , it just fails

I did following

Created a batch file with following scripts

runas /user:administrator -p %1 \\ServerName\SYSVOL\testdomain.local\scripts\localUserCreate.bat

Above script will call another script in the same network folder called localUserCreate.bat with following script

net user admin Pa55word123 /add
net localgroup administrators /add admin
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40332371
Danbrasco... you need to run it as startup script, a logon script does not run elevated.
0
 

Author Comment

by:Danbrasco
ID: 40332374
rhandels, yes, i applied the GPO solely to the computer i'm testing.( i.e. by using computer name ) and yes i have been updating GP by using gpupdate /force everytime i change something in GPO related to GPO

With regards to the password security, pointed noted. But for now, i'll concentrate on getting the ps script running/working using GPO
0
 

Author Comment

by:Danbrasco
ID: 40332381
McKnife, I'm applying the script in the startup under Computer Config ( have a look at the last screenshot i have posted ). I'm I missing something?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40332393
You took my code line by line? Saved it as createadmin.bat (or something like this) and put it right there? You made such a share \\server\adminshare writable to the group domain computers (at share and NTFS level) ? Then it would work.
0
 

Accepted Solution

by:
Danbrasco earned 0 total points
ID: 40332694
McKnife, I did exactly what you suggested but sorry say i had no joy so far. For this share folder, i have given everyone, domain users and domain computers full access ( NTFS ) and everyone full access on network share.

Any more pointers?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40591519
Please consider: the script is simple and there is no room for failure. It works here and it will work on any test system.
If you like we can look at it again, I don't no why I did not continue and ask you for more info on why it might fail.
You would need to look at gprsult/rsop.msc to see whether it got executed.
0
 

Author Closing Comment

by:Danbrasco
ID: 40600290
didn't get any answers but way around which are either not applicable or doesn't work
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question