General discussion

Locked

Add Domain User to Local Machine Admin

By maddiuex ·
Would like to add some domain users to the local W2Kpro workstations, with out having to walk to each workstation to add them. Can someone explain to me how to do this from the Active Dir Server. Or the correct script command to to it?

This conversation is currently closed to new comments.

24 total posts (Page 1 of 3)   01 | 02 | 03   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Add Domain User to Local Machine Admin

by shmaltz In reply to Add Domain User to Local ...

If the computer has joined the domain there should be no need to do this. Since every user is available on every computer that has already joined the domain.
If however it did not join the domain than you can't use Active Directory either, and youronly option is to join the domain, which means walking over to every computer. If you still want to do it (and the computers have already joined the domain), you can create a machine logon script and use the net use command to add those accounts.

Collapse -

Add Domain User to Local Machine Admin

by maddiuex In reply to Add Domain User to Local ...

all the machines are joined, But when I try to install a program like Norton antivirus Corp through a script it states that the user does not have rights to install a program, But when i give the user Local admin rights it lets them ?

Collapse -

Add Domain User to Local Machine Admin

by shmaltz In reply to Add Domain User to Local ...

I believe I gave you the answer. Add a machine logon script that adds the user to the local admin groups using the net user command.

Collapse -

Add Domain User to Local Machine Admin

by maddiuex In reply to Add Domain User to Local ...

Thank you, But the answer was not followed up by the correct way to add a user, Mr. Moore below has given an excellant answer. I will not close the question until you Give the correct Net User command. I have not ran that type of script before.

Collapse -

Add Domain User to Local Machine Admin

by Joseph Moore In reply to Add Domain User to Local ...

Actually, you would use the NET LOCALGROUP command to add users to be local Admins on individual machines.

Say that you have a domain with a NetBIOS name of MYDOMAIN. And say that user BOB needs to be added as a local Admin on his workstation.The NET command syntax to add MYDOMAIN\BOB as a local Admin would be the following:

NET LOCALGROUP ADMINISTRATORS MYDOMAIN\BOB /ADD

So, you as an Admin could log into BOB's workstation, run that line, then log out, and voila! BOB is a local Admin on his workstation!

Collapse -

Add Domain User to Local Machine Admin

by Joseph Moore In reply to Add Domain User to Local ...

Now, doing that that way means you would have to walk to every workstation that BOB needs to be a local Admin, logging in, and typing that out. I know, all that walking is a pain!

So, we can cheat! Let's put this line in BOB's logon script! Just put it in the script just like it says, and let BOB log in.

When he logs into his workstation, he is given the local Admin right on that workstation only....

well, that is not exactly correct! You see, since BOB is only a Domain User, he can't make himself a local Admin. He does not have the rights! So, how do you get BOB to be added as a local Admin using his logon script???

You have to make BOB a member of the Domain Admins group on a domain controller first!

Now, why would I suggest you do that????
Because it will only be for a few hours! The morning you have the NET LOCALGROUP command in BOB's logon script, you also add BOB to the Domain Admins group first, and make sure that is done BEFORE BOB logs in.
Then, when BOB logs in, he will already be a DA, and he can then add himself to be a local Admin, when his logon script runs!

Collapse -

Add Domain User to Local Machine Admin

by Joseph Moore In reply to Add Domain User to Local ...

After BOB has logged in, and his logon script has run, thereby making him a local Admin on his workstation, you REMOVE BOB from the Domain Admins group on your domain controller.

Voila! BOB is a local Admin, and you never got out of your chair!!!And that is the goal here, to minimize having to walk to the user workstations!!!

Collapse -

Add Domain User to Local Machine Admin

by Joseph Moore In reply to Add Domain User to Local ...

Now, the next scenario is, "BOB does not have his own logon script; he shares one with several other people. How do I get the NET LOCALGROUP command to work properly??? Plus, I need to add the other 5 people who have his logon script as local Adminson their workstations, but I don't want BOB as a local Admin on their systems."

Again, this can be done.

Use this syntax in your logon script:

NET LOCALGROUP ADMINISTRATORS %USERNAME% /ADD

That is it! That way, when BOB logs into his workstation, it will add MYDOMAIN\BOB to be a local Admin on that system only; then when user TOM (who has the same logon script as BOB) logs into his own system, it will add MYDOMAIN\TOM as a local Admin on Tom's system.

You would have to add TOM tobe a Domain Admin just like the BOB scenario, but as soon as TOM has logged in, remove TOM from the DA group.

%USERNAME% is a variable that equates to domain\username. It works in batch files very nicely!

Collapse -

Add Domain User to Local Machine Admin

by Joseph Moore In reply to Add Domain User to Local ...

So, there are a couple of ways of making local Admins. Now, I did the opposite of what you did. I had to REMOVE several people from being local Admins on their workstations. They all had the same logon script, so I did:

NET LOCALGROUP ADMINISTRATORS %USERNAME% /DELETE

Worked like a champ!

hope this helps

Collapse -

Add Domain User to Local Machine Admin

by maddiuex In reply to Add Domain User to Local ...

not working still

Back to Windows Forum
24 total posts (Page 1 of 3)   01 | 02 | 03   Next

Related Discussions

Related Forums