Solved

Create local administrator account on client computer in Server 2003 domain environment

Posted on 2014-09-18
35
160 Views
Last Modified: 2015-02-10
Hi,

Despite googling and researching for solid 2 hours, i have not manged to find any promising solution.

I have MS Windows Server 2003 domain environment with around 60 client computers running on windows 7 pro. Built in administrator local account on these windows 7 machine are disable.

I'm trying to add a local administrator account called < admin> and set a passwword for it.

Can some one help or give me some pointers? GPO would be preferable...

Many thanks in advance
0
Comment
Question by:Danbrasco
  • 16
  • 8
  • 6
  • +3
35 Comments
 
LVL 23

Expert Comment

by:rhandels
Comment Utility
You mean you would like to create an account on the machine and then add it to the administrators group? The only way possible i can think of is using a PS script.

What you can do with policies is create a domain account and add this domain account to the local administrators group of all machines using a GPO, might that be feasible??
0
 

Author Comment

by:Danbrasco
Comment Utility
yes but on the local windows 7 computer. can give me more info about PS script pls.

I believe you are suggesting restricted policies in GPO. This will be not a local account, it will be domain account with local admin privilege. so this is not for me.
0
 
LVL 3

Expert Comment

by:TropicalBound
Comment Utility
The "Net User" and "Net LocalGroup" commands are what you want.

net user admin password <-- Creates the local account
net localgroup administrators /add admin <-- adds the account to the local administrators group

Put both of these commands in a batch file.  Use a GPO to run the script at startup.
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
Comment Utility
follow the steps;

1.Open Group Policy Management

2.Create a new Group Policy Object called “Local Users Login Account” and link it to the appropriate OU.

3. Open up the newly created GPO called “Local Users Login Account”.

4. Under the User Configuration Node, Select Preferences, Control Panel Settings, Local Users and Groups. Then Right Click and select New, Local User

5. In Action, Select Update. User name will be “your defined name". Under Full name, type in a descriptive name. Select a password in Password and Confirm Password, and Uncheck User must change password at next logon, and check Password never expires. Leave Account never expires checked. Click on OK.

6. Now go to the Computer Configuration Node, and select Preferences, Control Panel Settings, Local Users and Groups. Right click and select New, Local Group.

7. Under Action, select Update, in Group name, select Administrators (built-in), and then click on Add under Members. In the Add box, type in “your defined name" for the name and click OK. Now Click on OK again.

Now wait for the group policy to update. If you don’t want to wait, you can open up a command prompt on a workstation and type “gpupdate /force”

if you see the user being created but not added to the local administrators group, take a look at where you are assigning the GPO to. Ensure you are assigning it to User objects and Computer Objects.

 for details please  see the attached
create-admin-account-via-gpo.JPG
0
 

Author Comment

by:Danbrasco
Comment Utility
Hi TropicalBound,

This batch file would be applied to user or computer in GPO?

If so to users, how do i run it as administrator? doesn't work other wise.

Thanks
0
 

Author Comment

by:Danbrasco
Comment Utility
Hi Zacharia Kurian,

Option you suggested applies to server 2008 and above
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
Comment Utility
Forgot to mention this;

Hope your GPO is stored in  central store and you have added the windows vista/windows 7 admx. If not follow the below link;


http://technet.microsoft.com/en-us/library/cc766208%28WS.10%29.aspx
0
 
LVL 23

Expert Comment

by:rhandels
Comment Utility
I'd suggest looking at this script, it might just work for waht you need. Also make sure to run the script at startup.

http://blogs.technet.com/b/heyscriptingguy/archive/2010/11/23/use-powershell-to-create-local-user-accounts.aspx

@Tropical. I never heard of this command line tool (never to old to learn) and googled it but it says that this is only intended for server versions, not workstation. Am i misinterpreting it?
0
 

Author Comment

by:Danbrasco
Comment Utility
just to make it my scenario clear, i have 1 dc running on Server 2003 and 60 client on windows 7 pro.

rhandels, your suggestion, is it still applicable?
0
 
LVL 23

Expert Comment

by:rhandels
Comment Utility
Yes it is.. Even with W7 and Server 2003.. Create the PS script that creates a user, add a policy to the computers OU (preferably test with 1 machine) and run the script at startup.

I would test it on 1 machine manually though so you are 100% sure the script functions properly.
0
 
LVL 13

Expert Comment

by:Gabriel Clifton
Comment Utility
Here you have a problem, creating a user or enabling the admin and setting password is not available in server 2003 and no longer available in 2008. You can create a script to do this, but you are looking at sending everything clear text. Tropical's solution does work in a startup batch script.
0
 

Author Comment

by:Danbrasco
Comment Utility
thanks rhandels, i'm gonna try it for sure.

Do i apply the script on start up under the computer configuration or User Configuration?

Also, i just want to setup one local user called admin ( with administrative privileged )and set the password as Pa55word123 . Just to save some time and effort, can you edit the ps and post, this will be every helpful.

Cheers
0
 
LVL 23

Expert Comment

by:rhandels
Comment Utility
<<Do i apply the script on start up under the computer configuration or User Configuration?>>

Nope, you need to add it to the computer configuration and then startup. In user configuration you can only do logon or logoff.. Also assign the GPO to the OU were the computer accounts reside..

<<Also, i just want to setup one local user called admin ( with administrative privileged )and set the password as Pa55word123 . Just to save some time and effort, can you edit the ps and post, this will be every helpful.>>

I would suggest trying to do it yourself so you get a feeling on how it works. Also, I am really really not interested in the passwords you will be using :) :)
0
 

Author Comment

by:Danbrasco
Comment Utility
thanks for the getting back but i can find the setup you are talking about. check the screeshot
screencapture.JPG
0
 
LVL 23

Expert Comment

by:rhandels
Comment Utility
You need to add the script into the startup/shutdown option.. It's directly below Windows Settings (the white text document)
0
 
LVL 9

Expert Comment

by:Zacharia Kurian
Comment Utility
I would still suggest you to update your gpo central store with windows vista and windows 7  admx and try the group policy. I am wondering how you are managing your windows 7 clients through windows 2003 domain without updating your central gpo store.
0
 

Author Comment

by:Danbrasco
Comment Utility
rhandels, i ran the ps and getting follwoing error

A value for $user and $password is required.

       Try this: CreateLocalUser.ps1 -help ?
At C:\Users\tseringd\Desktop\CreateLocalUser.ps1:87 char:15
+        $(Throw <<<<  'A value for $user and $password is required.
    + CategoryInfo          : OperationStopped: (A value for $us...ser.ps1 -help ?:String) [],
 RuntimeException
    + FullyQualifiedErrorId : A value for $user and $password is required.

       Try this: CreateLocalUser.ps1 -help ?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 53

Expert Comment

by:McKnife
Comment Utility
This problem is easy. In ADUC, create admin, also create a group locadmins. Use restricted groups to add that group locadmin to local administrators.
The problem with start scripts is, they can be accessed from the computer accounts, that means local administrators will be able to impersonate system, read your script in plain text and own all client machines at once.
0
 
LVL 23

Expert Comment

by:rhandels
Comment Utility
Allthough i do agree with you McKnife i believe he wanted to have an admin on the local machine and not a domain account.

But looking at it this just might be the better idea to do create the domain account and add it into the local administrators group.

And looking at the error Dan it looks like you do need to add a username and password value into the script.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
> he wanted to have an admin on the local machine and not a domain account
If so, why would that admin have the same name and password? That would be no difference, security wise, if we take a domain account or a local admin, both would be able to logon to all.
0
 
LVL 23

Expert Comment

by:rhandels
Comment Utility
> he wanted to have an admin on the local machine and not a domain account
If so, why would that admin have the same name and password? That would be no difference, security wise, if we take a domain account or a local admin, both would be able to logon to all.

I believe he wanted to name the account admin instead of administrator but even so.. I do agree with you that it would be wiser to create a domain account ( and that much easier :)) to get this working..
0
 

Author Comment

by:Danbrasco
Comment Utility
Hi,
To Experts who suggested to create a domain user and make it local admin and implement restricted group gpo. I understand your point and this is already in place and implemented. Reason why  i'm trying to create a local user with local administrative privilege is that i had few instances where client got disconnected from domain and only way to logon to that terminal is by using some local credential.

So, i need to find that way to create a local admin user on all the windows 7 machines in a domain environment with Server 2003 as the DC
0
 

Author Comment

by:Danbrasco
Comment Utility
Rhandels,

computer name will be different for all the computer.

Where in the ps script should i assign the username and password value?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Having a common administrative account that uses the same password everywhere is quite risky. I advise you to use the following script instead:
net user /add admin /random && net localgroup administrators /add admin >\\server\adminshare\%computername%.txt

Open in new window


The resultant textfile will look like this:
net user /add admin /random && net localgroup administrators /add admin
Password for admin is: 0gZ871a-
The command completed successfully.
The command completed successfully.

The random option creates a random password. It consists of 8 random characters. You will have the text files as a reference.
0
 

Author Comment

by:Danbrasco
Comment Utility
Ok, rhandels and other experts,

I created the ps1 script suggest in following blog

http://blogs.technet.com/b/heyscriptingguy/archive/2010/11/23/use-powershell-to-create-local-user-accounts.aspx

Tested on local machine and it works fine. Only that i have to type .\CreateLocalUser.ps1 -user admin -password Pa55word123

However, when i setup to run at start up using GPO, theres been no joy.

any help or pointers
0
 

Author Comment

by:Danbrasco
Comment Utility
i'm putting a screenshot gpo i'm currently using with parameters. Please correct me if i'm wrong
screencapture1.JPG
0
 
LVL 23

Expert Comment

by:rhandels
Comment Utility
Did you add the GPO to the OU where the machines reside? Also, after adding this did you do a gpupdate /force.

Also, but this is indeed your own risk. It would be wise to choose a random password or at least something mote restrictive besides what you are using now. At least 20 characters.
0
 

Author Comment

by:Danbrasco
Comment Utility
McKnife, I've already tried your net command batch script. It works fine on admin elevated cli ( when done locally on the computer) But when i run the script ( logon ) in GPO , it just fails

I did following

Created a batch file with following scripts

runas /user:administrator -p %1 \\ServerName\SYSVOL\testdomain.local\scripts\localUserCreate.bat

Above script will call another script in the same network folder called localUserCreate.bat with following script

net user admin Pa55word123 /add
net localgroup administrators /add admin
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Danbrasco... you need to run it as startup script, a logon script does not run elevated.
0
 

Author Comment

by:Danbrasco
Comment Utility
rhandels, yes, i applied the GPO solely to the computer i'm testing.( i.e. by using computer name ) and yes i have been updating GP by using gpupdate /force everytime i change something in GPO related to GPO

With regards to the password security, pointed noted. But for now, i'll concentrate on getting the ps script running/working using GPO
0
 

Author Comment

by:Danbrasco
Comment Utility
McKnife, I'm applying the script in the startup under Computer Config ( have a look at the last screenshot i have posted ). I'm I missing something?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
You took my code line by line? Saved it as createadmin.bat (or something like this) and put it right there? You made such a share \\server\adminshare writable to the group domain computers (at share and NTFS level) ? Then it would work.
0
 

Accepted Solution

by:
Danbrasco earned 0 total points
Comment Utility
McKnife, I did exactly what you suggested but sorry say i had no joy so far. For this share folder, i have given everyone, domain users and domain computers full access ( NTFS ) and everyone full access on network share.

Any more pointers?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Please consider: the script is simple and there is no room for failure. It works here and it will work on any test system.
If you like we can look at it again, I don't no why I did not continue and ask you for more info on why it might fail.
You would need to look at gprsult/rsop.msc to see whether it got executed.
0
 

Author Closing Comment

by:Danbrasco
Comment Utility
didn't get any answers but way around which are either not applicable or doesn't work
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now