add domain group to local admin while not in domain - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » add domain group to local admin while not in domain

Page 1 of 1

1

Topic Options

#131393 - 2004-12-15 11:55 PM add domain group to local admin while not in domain
Radimus Radimus Moderator Registered: 2000-01-06 Posts: 5187 Loc: Tampa, FL	hey guys, I am using netdom to add XP machines to the domain (and to rename and move containers), while doing the same for win2k, I could run 'net localgroup administrators /add 'domain\IT Staff"', but XP will not do that... it complains about security trusts. shell 'netdom join /domain:domain ...' shell 'netdom renamecomputer @wksta ...' shell 'cmd /c net localgroup administrators /domain ...' Can someone work out a method for this, I figure RUNAS would do it, but haven't been able to work around it. I will have variables populated already with ladmin & PW and dadmin & PW. I have the netdom statements working, it is just the localgroup statement that is choking. It needs to run while Ladmin is logged on and not domain member yet. _________________________ How to ask questions the smart way <-----------> Before you ask
Top

#131394 - 2004-12-16 01:29 AM Re: add domain group to local admin while not in domain
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	I have experienced what you're speaking of Rad, but have not spent any time trying to overcome it. Basically in XP/2003 if the machine is NOT a member of the Domain yet, it won't allow you to add accounts or groups from the Domain. I'm not sure if it is some policy setting that can be altered on the local box or what. But as you say, did not appear to be an issue on Windows 2000, sort of. If you had less then SP2 or SP3 then I think it too didn't work.
Top

#131395 - 2004-12-16 02:40 AM Re: add domain group to local admin while not in domain
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Have you thought of splitting your script into two pieces? 1) setup a run task and auto logon as domain admin account 2) run NETDOM with /REBoot Computer reboots and is noW a member of domain 3) auto logon as domain admin (since "Domain Admins group is now in local administrators) 4) finish other tasks _________________________ Home page: http://www.kixhelp.com/hb/
Top

#131396 - 2004-12-16 04:01 AM Re: add domain group to local admin while not in domain
Radimus Radimus Moderator Registered: 2000-01-06 Posts: 5187 Loc: Tampa, FL	wonce netdom join has run, if you look in usermangler, you can see the SID of Dadmin, but it hasn't been resolved... at least until it reboots. I may try to put it in a runonce, but hopefully runas might do it... unless I can make it more complex with NTDS _________________________ How to ask questions the smart way <-----------> Before you ask
Top

#131397 - 2004-12-16 04:32 AM Re: add domain group to local admin while not in domain
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	Doesn't joining a domain automatically add the domain administrators group to the local administrators group? IIRC, it still requires a reboot to become active, though. _________________________ There are two types of vessels, submarines and targets.
Top

#131398 - 2004-12-16 03:19 PM Re: add domain group to local admin while not in domain
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	well, so does the joining itself require reboot, iirc. _________________________ ! download KiXnet
Top

#131399 - 2004-12-16 03:36 PM Re: add domain group to local admin while not in domain
Radimus Radimus Moderator Registered: 2000-01-06 Posts: 5187 Loc: Tampa, FL	joining did add the domain admins SID, but I need to add another group and a user... without rebooting if possible _________________________ How to ask questions the smart way <-----------> Before you ask
Top

#131400 - 2004-12-16 03:55 PM Re: add domain group to local admin while not in domain
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	I know this doesn't answer the question but what about scheduling the add to fire on next boot? this way it would run on as the super user and would worky... no? _________________________ ! download KiXnet
Top

#131401 - 2004-12-16 03:58 PM Re: add domain group to local admin while not in domain
Radimus Radimus Moderator Registered: 2000-01-06 Posts: 5187 Loc: Tampa, FL	i'm looking at runonce _________________________ How to ask questions the smart way <-----------> Before you ask
Top

#131402 - 2004-12-16 04:17 PM Re: add domain group to local admin while not in domain
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Instead of having code on the local computer that has to autologon with admin rights and or run with impersonation, what about trying a different approach. Join all new computers into a special temporary OU and assign a GPO "Startup" (not logon) script to the OU. IIRC, "Startup" scripts run in the local system security context. Do all the things you need to do from there and as the last step, move it to the designated OU. Another approach may be to split the tasks between a "Startup" script and a central admin script that watches the special OU and takes care of domain admin related stuff. Just a thought... _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

Page 1 of 1

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Who's Online

0 registered and 1574 anonymous users online.

Newest Members

BeeEm, min_seow, Audio, Hoschi, Comet
17882 Registered Users

Generated in 0.075 seconds in which 0.04 seconds were spent on a total of 12 queries. Zlib compression enabled.

click tracking