For an NT/2000 network with many remote locations. I want to give the user logging on local admin rights by adding him/her to the local administrators group. When the user first logon he/she doesn't have local admin rights yet so I'm assuming we need to use something like runas. The problem is runas is only avaible for Win2K.
If there is a way, I would like to remove that user from the local administrators group when he/she logs off.
What is the easiest way of doing this for NT/2000 machines?
if you have specific password for all wksta's on your network... like every wksta has "mydomainwksta" as password that would be easy... with something like su.
anyway, easiest would be setting up a script on some of your servers that reads an ini for all workstations that do not have domain users as the wksta-admins and add them. that script has a scriptlet in logonscript that checks if user is in local admin and if not, adds the entry to the ini.
ofcourse every domain-user must have access to this ini.
one option is to create similar script which crawls arounds your net immediately and changes all the wksta's found but that way you never have quarantee of getting to all machines.
now, the decision is yours, which way you want to go?
#41025 - 2003-06-0402:50 AMRe: Adding user to local administrator
NTDOCNTDOC Administrator
Registered: 2000-07-28
Posts: 11629
Loc: CA
Ryan,
Adding them during logon and removing them during logoff is just not practical with any method beyond Active Directory GPO, and even then it would be difficult due to all the timing issues.
I don't see the purpose of add/removing during logon. If you want them to be Local Admins, then make them Local Admins. Who cares if you leave them in the group after logoff. Once they logon again, you'd put them right back. Just doesn't seem to make sense to me.
Why do you want them to be Local Admins? To install an application? Maybe look at using one of the Scheduling UDFs here on the board in the UDF forum. That may be a much easier route.
#41027 - 2003-06-0404:34 AMRe: Adding user to local administrator
RadimusRadimus Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
All my users are local admin on their own workstation (user on others)
I know all the issues of security and such, as well as preventative steps to keep users from fubar'ing their PCs, but with 2000 desktop here, I seldom 1 or 2 per month have to re-image a machine
As for how to add users to local admin, the simplest solution is the ini file routine mentioned.
make an ini file keyed on computername
[admin] pc1=joe pc2=mike pc3=dilbert ...
then you, using a domain admin acct (or acct with admin on every PC) use one of the remote execute UDFs where you can exec
net localgroup administrators /add $name against each PC
your problem will be building/maintaining the ini file
Thanks for all your replies. Will try using ini and update.
NTDOC - I should have explained it better. Right now our master image has the LocalWrkAdm group in the local administrators group and everyone on our network belongs to it. I ran into problems where users maps to other user's C$ to share data. This is fine except when the other user doesn't know about it. So now we want to remove all users from the LocalWrkAdm group but before we do that we want to give the logon user admin permission to that PC. Removing the user from local admin group is not important right now.
I want it to check if the user belongs to the local admin group, if no add the user. It works first time but when testing it after that, it keeps trying to add the user but since the user is already in the administrator group, there is an error. Also tried using InGroup("\\" + @WKSTA + "\Administrators")
I don't know... maybe I'm missing something here... If the users does not have admin rights then they can't add themselves. If you are running the script by impersonating someone with admin rights using SU or RunAs, then the InGroup() and the @UserID would reflect the impersonated user and not the one you want to add.
Confused
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Thanks NTDOC and Radimus. Will try and let you guys know. BTW - What do you guys do for a living that you have so much time to reply to all the posts? Just wondering, sorry if it's too personal. I did some search on the forum and I see you guys all over.
Your code check for the reg key, we have many users in the production area that share machines, your code is setup for only the first user that logs on to that machine. The second person would not be added to the local admin group. Any other suggestion?
Thanks,
Ryan
[ 05. June 2003, 08:25: Message edited by: Ryan Dao ]
#41041 - 2003-06-0507:00 PMRe: Adding user to local administrator
NTDOCNTDOC Administrator
Registered: 2000-07-28
Posts: 11629
Loc: CA
Agreed... Unless you know specifically every employee who should be a local admin on which machines it will be rather difficult to automate.
I actually would not get rid of the Local Admin group you put in place, I'd just remove everyones membership except your desktop support people. That way they will maintain Admin rights on all desktops when they logon.
Unless you have a very documented and strict work force (which it does not sound like) it will be difficult to achieve what you're asking via an automated method.
For now maybe just run the code to allow people who logon locally to add their own account to the local admin group. Then in a couple weeks disable that portion of the script and then remove everyone from that Local Admin group that is added in the Ghost image. Hopefully by then 90% or more of people that should be local admins will already be. For those stragglers that have not made it into the local admin group yet, you can manually assist them remotely if wanted.
User should have local admin rights to the machine he/she is logging onto. Doesn't matter who.
The code below doesn't work all the time. It works the first time but when I removed the user from the local admin group and run the script again, it thinks the user is still in the group and will not add. I ran kix32 /f to clear cache with no luck. Any help will be greatly appriciated.
Thanks guys.
IF INGROUP("\\@WKSTA\Administrators") ? "You are a Local Administrator" ELSE ? "You are NOT a Local Administrator" shell '%COMSPEC% /C net localgroup administrators /add @userid >NUL 2>NUL' ENDIF
![[Confused]](images/icons/confused.gif){kind=icon}
![[Big Grin]](images/icons/grin.gif){kind=icon}
