|
Agreed... Unless you know specifically every employee who should be a local admin on which machines it will be rather difficult to automate.
I actually would not get rid of the Local Admin group you put in place, I'd just remove everyones membership except your desktop support people. That way they will maintain Admin rights on all desktops when they logon.
Unless you have a very documented and strict work force (which it does not sound like) it will be difficult to achieve what you're asking via an automated method.
For now maybe just run the code to allow people who logon locally to add their own account to the local admin group. Then in a couple weeks disable that portion of the script and then remove everyone from that Local Admin group that is added in the Ghost image. Hopefully by then 90% or more of people that should be local admins will already be. For those stragglers that have not made it into the local admin group yet, you can manually assist them remotely if wanted.
| 
