General discussion

Locked

Localgroups

By Who's the daddy? ·
I am currently implementing a large Windows 2000 installation with multiple server and sites.

One thing I would like to do is add a domain group (PC Support) to the local Administrators group on all of the PC's (they are all W2K pro) so the helpdesk staff can log in as themselves and be local admins (I don't want to make them Domain admins or have to manually add the group to each PC).

I can't find a way to do it with Group Policies.

I can do it with NET LOCALGROUP /ADD but standard users don't have rights to do this.

I can use RUNAS /USER:ADMINISTRATOR "NET LOCALGROUP /ADD" but this asks for a password.

Does anyone know a way to pipe a password into the RUNAS command (I have tried < pword.txt where pword.txt contains the password but get an echo error)

Any help is much appreciated.

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Localgroups

by BeerMonster In reply to Localgroups

Hi,
I was involved in a similar implementation, and we accomplished this by adding a domain group to the local admins on each workstation during the build, it was handy because we could designate admins of the workstations who were not domain admins. If the workstation builds are already underway, or not automated, you could create a batch file with your net localgroup, copy it to the workastations and run it using the task scheduler. all of this can be automated via scripts, with success or failure flags letting you know what's happening. As for the runas, I managed to automate this for a software rollout recently, but it was a quick and dirty fix -

You need to use VBscript, which has a sendkeys command (a lot like 'scriptit' fromthe reskit). Basically, your vb script shells out to a command prompt and passes it your runas parameters IE runas /user mycommandorscript. VBsendkeys is then used to pass the password to the command window. I had some security considerations when Idid this that you might like to bear in mind for the future

Collapse -

Localgroups

by BeerMonster In reply to Localgroups

namely that I needed to run a batch file as admin so i couldn't just have the runas call a single command. this meant that if anyone replaced my batch file with one of their own (IE same name and path) it would run in an admin context. to get round this I used filetokn.exe from the SMS reskit. It creates a crc check number of a file (unique for every file), so I took a crc of my batch file and hardcoded that into the vbscript. Then I added a crc check of the batch file called in the vbscript before the batch file was called. if the numbers didn't match then the vbscript errored out - and logged to the event log. Finally, you need to put the password in the vbscript itself, which by default is in plain text. this can be overcome by using the Microsoft script encoder, available for download from their site. this encrypts vbscripts so that they are unreadable if edited (obviously you keep a copy of the original). You will need to encrypt your file to protect the password, but you should be able to to do the net localgroup as part of the runas command rather than call a batch file so the crc stuff won't matter. It doesn't really matter if someone gets hold of your vbscript and runs it, 'cos unless they are members of the domain groupbeing added it won't help them anyway. Let me know if you need samples of the scripts that were used, vbscript can be a bit of a pain when (like me) you're used to the simplicity of batch files. darthurs@hotmail.com

Hope it goes ok......

Back to Windows Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums