|
Logon scripts run on the client unless as Lonkero said, the %comspec% points to the DC.
As I understand it:
Summary:
1. you need to check the client to see if the currently logged on user has local admin rights.
1a. If user doesn't have local admin rights, log them off immediately.
2. You need to check the client to see if the domain administrator has local admin rights.
2a. If domain admin doesn't have local admin rights, add them to local admin group.
------
Comments:
1. As far as I know, domain administrators are granted local admin rights to NT/2000/XP workstations by default. There may be rare exceptions, but for the most part this should hold true.
2. Before coming back to the domain admin question, all you need to do is check to see if the current user is in the local admins group and log them off if they aren't. This is not too difficult.
3. Assuming you check to see if the user is a local admin (as in #2), then you know that they are and you can verify that domain admins are local admins as well, using a similar method to #2.
4. Logon scripts run on the client PCs, not on the server they are being accessed from, except in very RARE cases. Otherwise, drive mappings, setup programs, etc would go to the server instead of the client.
Brian
| 
