General discussion

  • Creator
    Topic
  • #2311432

    Add Domain User to Local Machine Admin

    Locked

    by maddiuex ·

    Would like to add some domain users to the local W2Kpro workstations, with out having to walk to each workstation to add them. Can someone explain to me how to do this from the Active Dir Server. Or the correct script command to to it?

All Comments

  • Author
    Replies
    • #3471867

      Add Domain User to Local Machine Admin

      by shmaltz ·

      In reply to Add Domain User to Local Machine Admin

      If the computer has joined the domain there should be no need to do this. Since every user is available on every computer that has already joined the domain.
      If however it did not join the domain than you can’t use Active Directory either, and youronly option is to join the domain, which means walking over to every computer. If you still want to do it (and the computers have already joined the domain), you can create a machine logon script and use the net use command to add those accounts.

      • #3471865

        Add Domain User to Local Machine Admin

        by maddiuex ·

        In reply to Add Domain User to Local Machine Admin

        all the machines are joined, But when I try to install a program like Norton antivirus Corp through a script it states that the user does not have rights to install a program, But when i give the user Local admin rights it lets them ?

    • #3471853

      Add Domain User to Local Machine Admin

      by shmaltz ·

      In reply to Add Domain User to Local Machine Admin

      I believe I gave you the answer. Add a machine logon script that adds the user to the local admin groups using the net user command.

      • #3469419

        Add Domain User to Local Machine Admin

        by maddiuex ·

        In reply to Add Domain User to Local Machine Admin

        Thank you, But the answer was not followed up by the correct way to add a user, Mr. Moore below has given an excellant answer. I will not close the question until you Give the correct Net User command. I have not ran that type of script before.

    • #3471826

      Add Domain User to Local Machine Admin

      by joseph moore ·

      In reply to Add Domain User to Local Machine Admin

      Actually, you would use the NET LOCALGROUP command to add users to be local Admins on individual machines.

      Say that you have a domain with a NetBIOS name of MYDOMAIN. And say that user BOB needs to be added as a local Admin on his workstation.The NET command syntax to add MYDOMAIN\BOB as a local Admin would be the following:

      NET LOCALGROUP ADMINISTRATORS MYDOMAIN\BOB /ADD

      So, you as an Admin could log into BOB’s workstation, run that line, then log out, and voila! BOB is a local Admin on his workstation!

      • #3471825

        Add Domain User to Local Machine Admin

        by joseph moore ·

        In reply to Add Domain User to Local Machine Admin

        Now, doing that that way means you would have to walk to every workstation that BOB needs to be a local Admin, logging in, and typing that out. I know, all that walking is a pain!

        So, we can cheat! Let’s put this line in BOB’s logon script! Just put it in the script just like it says, and let BOB log in.

        When he logs into his workstation, he is given the local Admin right on that workstation only….

        well, that is not exactly correct! You see, since BOB is only a Domain User, he can’t make himself a local Admin. He does not have the rights! So, how do you get BOB to be added as a local Admin using his logon script???

        You have to make BOB a member of the Domain Admins group on a domain controller first!

        Now, why would I suggest you do that????
        Because it will only be for a few hours! The morning you have the NET LOCALGROUP command in BOB’s logon script, you also add BOB to the Domain Admins group first, and make sure that is done BEFORE BOB logs in.
        Then, when BOB logs in, he will already be a DA, and he can then add himself to be a local Admin, when his logon script runs!

      • #3471824

        Add Domain User to Local Machine Admin

        by joseph moore ·

        In reply to Add Domain User to Local Machine Admin

        After BOB has logged in, and his logon script has run, thereby making him a local Admin on his workstation, you REMOVE BOB from the Domain Admins group on your domain controller.

        Voila! BOB is a local Admin, and you never got out of your chair!!!And that is the goal here, to minimize having to walk to the user workstations!!!

      • #3471822

        Add Domain User to Local Machine Admin

        by joseph moore ·

        In reply to Add Domain User to Local Machine Admin

        Now, the next scenario is, “BOB does not have his own logon script; he shares one with several other people. How do I get the NET LOCALGROUP command to work properly??? Plus, I need to add the other 5 people who have his logon script as local Adminson their workstations, but I don’t want BOB as a local Admin on their systems.”

        Again, this can be done.

        Use this syntax in your logon script:

        NET LOCALGROUP ADMINISTRATORS %USERNAME% /ADD

        That is it! That way, when BOB logs into his workstation, it will add MYDOMAIN\BOB to be a local Admin on that system only; then when user TOM (who has the same logon script as BOB) logs into his own system, it will add MYDOMAIN\TOM as a local Admin on Tom’s system.

        You would have to add TOM tobe a Domain Admin just like the BOB scenario, but as soon as TOM has logged in, remove TOM from the DA group.

        %USERNAME% is a variable that equates to domain\username. It works in batch files very nicely!

      • #3471821

        Add Domain User to Local Machine Admin

        by joseph moore ·

        In reply to Add Domain User to Local Machine Admin

        So, there are a couple of ways of making local Admins. Now, I did the opposite of what you did. I had to REMOVE several people from being local Admins on their workstations. They all had the same logon script, so I did:

        NET LOCALGROUP ADMINISTRATORS %USERNAME% /DELETE

        Worked like a champ!

        hope this helps

      • #3464984

        Add Domain User to Local Machine Admin

        by maddiuex ·

        In reply to Add Domain User to Local Machine Admin

        not working still

    • #3469430

      Add Domain User to Local Machine Admin

      by ian mclaws ·

      In reply to Add Domain User to Local Machine Admin

      I have to put my two cents worth in here. First of all, it is not appropriate to make users administrators, even temporarily. This leaves a security hole that is NOT patched when they are removed afterwards.

      If you are using Norton’s corporate antivirus as you say, you do not have to do any of this. Simply install the Nortons antivirus console (from the first CD) and push out the client antivirus from it. No need for active directory or administrator rights. Since you are pushing the software, it installs in your own context (I assume you are an administrator). Load the console, then put in disk 2. One of the choices in the Nortons menu is “Install anti virus to clients. It is built right in, no scripts, no security holes.

      Good luck,

      Ian

      • #3469420

        Add Domain User to Local Machine Admin

        by maddiuex ·

        In reply to Add Domain User to Local Machine Admin

        I am using the VPlogon from Norton, and it does push the installation. But I get the message of “you do not have the rights to install Norton, please contact the administrator”. I also would like the option to load all the software I wanted, and thescript would be best. And yes I also beleive the security Idea, But it would only be for 1 day. And might be the best Idea. Thank you

    • #3469342

      Add Domain User to Local Machine Admin

      by ian mclaws ·

      In reply to Add Domain User to Local Machine Admin

      Several points from your answer. In my previous answer, I assumed that you had administrative rights in the domain. If you are pushing Nortons and getting an access denied error, this is not the case. You are not an administrator. This is your firstproblem. Secondly, No absolutely not, it is NEVER appropriate to make users temporary administrators on their systems. This is a move made only by individuals who do not understand Active Directory and results in a huge security breach. AD is already able and set up to push ANY software to clients, systems, or both without scripts. I am the enterprise admin on our 1800 seat WAN, and use AD regularly to install, update, and remove all software in our domain. I also have implemented Nortons corporate through the VPLogon, and it all works perfectly. Of course, I DO have administrative rights. Perhaps you might want to talk to your administrator and get him to grant you these rights so that you can deploy Nortons, or to do it himself.

      Ian

      • #3469320

        Add Domain User to Local Machine Admin

        by maddiuex ·

        In reply to Add Domain User to Local Machine Admin

        I have full Admin rights, But the issue is when the user logs on to run the script. they are just Domain Users. When I log on to the machine the script works, But when the user logs on it does not. If I add the user to the Local account as an admin it works?

    • #3469292

      Add Domain User to Local Machine Admin

      by ian mclaws ·

      In reply to Add Domain User to Local Machine Admin

      Again, I believe you are confused. Using Nortons VPLogon, there is no script. Users logging on have nothing to do with the process. Norton’s allows you to push the install from the console, without any users logging in at all and without using any scripts at all; the install is real time under YOUR context, all systems at once. You keep referring to a script. This is the problem. You do not need any script. Use the Nortons installer over the network., and it all works perfectly without any permission or administrative changes or security breaches.

      Ian

    • #3469282

      Add Domain User to Local Machine Admin

      by dwdino ·

      In reply to Add Domain User to Local Machine Admin

      Assign to machine @ startup, not to user at Logon!

    • #3469269

      Add Domain User to Local Machine Admin

      by shmaltz ·

      In reply to Add Domain User to Local Machine Admin

      OK, here is the complete step by step.
      1. Create a domain security group and add all the user you want to be local admins as memebers (lets call it LocalAdminsG.
      2. Create a file called addla.bat
      3. Edit it and add the follwoing lines to it
      NET LOCALGROUP ADMINISTRATORS MYDOMAIN\LocalAdminsG /ADD
      (make sure its one line).
      4. Create a machine logon script (not a user logon script) using an Active Directory Policy
      now the next time the computers start it will update with this policy and add this new group (LocalAdminsG) to the local admin group (Administrators). This will work since the user doesn’t need admin permissions because the machine logon script runs on system level, with system level permissions.

    • #3462738

      Add Domain User to Local Machine Admin

      by henrywi ·

      In reply to Add Domain User to Local Machine Admin

      go to MMC AD computer/users, Domain right click new creat a new group and make them member of the local group

    • #3480245

      Add Domain User to Local Machine Admin

      by maddiuex ·

      In reply to Add Domain User to Local Machine Admin

      Here is the procedure that worked
      COPY “\\NortonAvServer\VPHOME\grc.dat” “%ALLUSERSPROFILE%\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\grc.dat”

    • #3480244

      Add Domain User to Local Machine Admin

      by maddiuex ·

      In reply to Add Domain User to Local Machine Admin

      This question was closed by the author

Viewing 10 reply threads