Group Policy Question

D

Don

I have around a thousand pc's which are already in production, but not
members of our AD domain. I plan on adding them by pushing a script
using the netdom utility. My problem is we have several applications
which require the users to be local admins on the pc's (bad I know). Is
there a way via a group policy, or anything else for that matter,
which will add the users to the local administrator group the first time
they log on. My alternative is to add the domain users group from the
netdom script, but I really want to restrict it to individual users.

Any ideas would be greatly appreciated...
 
F

Florian Frommherz [MVP]

Howdie!
I have around a thousand pc's which are already in production, but not
members of our AD domain. I plan on adding them by pushing a script
using the netdom utility. My problem is we have several applications
which require the users to be local admins on the pc's (bad I know). Is
there a way via a group policy, or anything else for that matter, which
will add the users to the local administrator group the first time they
log on. My alternative is to add the domain users group from the netdom
script, but I really want to restrict it to individual users.
Click to expand...

There's nothing for exactly what you want. You will have to script it
somehow that people get added to the local admins as soon as they log in.

If that doesn't work, and before you start adding them with a net*
script, have a look at restricted groups:

http://www.frickelsoft.net/blog/?p=13

cheers,

Florian
 
R

Richard Mueller [MVP]

Florian Frommherz said:
Howdie!


There's nothing for exactly what you want. You will have to script it
somehow that people get added to the local admins as soon as they log in.

If that doesn't work, and before you start adding them with a net* script,
have a look at restricted groups:

http://www.frickelsoft.net/blog/?p=13

cheers,

Florian
Click to expand...

Also, users cannot add themselves to the local group, so it won't work in a
logon script (unless you hard code credentials in the script which is
dangerous). If you want users to only be admin on one computer each, you
should be able to do it remotely yourself with a script. To do it in bulk
you could read computer names and corresponding user names from a text file.
Of course, this would be after the computers are joined to the domain. A
VBScript program to add one user to the local Administrators group on one
computer would be:
==========
strComputer = "MyComputer"
strUser = "JimSmith"
strDomain = "MyDomain"

' Bind to Administrators group on the computer.
Set objLocalGroup = GetObject("WinNT://" & strComputer &
"/Administrators,group")

' Bind to domain user object.
Set objDomainUser = GetObject("WinNT://" & strDomain & "/" & strUser &
",user")

' Check if user already a member.
If (objLocalGroup.IsMember(objDomainUser.AdsPath) = False) Then
' Add the user to the group.
objLocalGroup.Add(objDomainUser.AdsPath)
End If
=========
As long as the computer is joined to the domain, you can run this remotely,
assuming you are a member of the "Domain Admins" group and the "Domain
Admins" group is a member of the local Administrators group (which is true
for all computers when they are joined to the domain). It would be easy to
read names from a text file and do the above for many computers/users in
bulk.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Group Policy Problem 3
Account Operators Group 15
Applying Password Policy to Group 4
Adding Computer To AD 1
Need to change PC's to new Domain 2
group membership assigned through group policy? 6
Enable install rights to user for local machine via GPO? 2
Domain policy vs local policy 4

Top