Re: Domain Users to have Local Admin rights

Hi,

First, make sure that your script works. Let say you created a batch file
called add_admin.bat that contains this command

net localgroup Administrators ZEROONENETWORKS\HelpDesk /add

Copy this file to e.g. USB drive and take it to a client computer. Logon to
this computer as local administrator and insert USB drive. Now run
add_admin.bat from command line on this computer. Was HelpDesk group added
to Local Administrator group? What was the message displayed on the screen?
You should see "The command completed successfully". If your script is works
correctly then you are ready to include it in Group Policy as startup
script.

Default Domain Policy is not really the best place to run this script from.
One of the reasons is also that it will also make this script run on
servers -- which might not be something that you want (e.g. HelpDesk group
to have administrative access to all your servers). Better aproach to this
would be to create new OU (Organization Unit) and move all client computers
to this OU. Now that the computers are moved you could create new Group
Policy and link it to this new Organization Unit.

How the set up the policy. Open the policy where you would like to add your
startup script (e.g. OU policy or Default Domain Group Policy). Now in the
left menu drill down under Computer Configuration (_not_ User Configuration)
and expand Windows Settings. Here click on Scripts (Startup/Shutdown) and in
the right menu double click on Startup. Startup Properties window opens and
here click on Show Files button. Copy and paste your batch file (e.g.
add_admin.bat file) to this location. Now close this windows and click on
Add button in Startup Properties window. In Add a Script windows click on
Browse and click add_admin.bat file that you added in previous step. Now
close all the windows including group policy editor.

Run

gpupdate /force

on:
- domain controller
- on client computer

Once you have done that restart the client computer and see if the script
added HelpDesk group to Local Administrator group. If not wait few minutes
and reboot the computer again.

--
Mike
Microsoft MVP - Windows Security

"RedPenguin" <redpenguin@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1257jsjfrupr881@xxxxxxxxxxxxxxxxxxxxx
yes I created the batch file with that. I added it to "Startup" in Default
Group Policy because a new policy doesn't wana work. I added it to domain
ZEROONENETWORKS.

Yes, I logged in as a domain admin. And checked Administrators and nothing
added.
"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
news:eSbRxe8aGHA.504@xxxxxxxxxxxxxxxxxxxxxxx
Did you create a batch file with

net localgroup Administrators domain\HelpDesk /add

and modified it to represent your environment (domain)? Did you add this
batch file to Group Policy? If yes, what Group Policy did you add it to?
Did you add it to existing Group Policy or did you create new one. What
level did you add it to? OU or domain or?

Did you test modified command?

net localgroup Administrators domain\HelpDesk /add

Does it work if you logon to a computer with administrative permissions
and run this command? Is HelpDesk group added to local administrator
group?

--
Mike
Microsoft MVP - Windows Security

"RedPenguin" <redpenguin@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1257fmt2bgbq81c@xxxxxxxxxxxxxxxxxxxxx
ok, I went to group policy. Refreshed group policy on the other
machines. I created a startup script to do what you just said, but it
seems as if nothing happened. I even restasrted the workstations, still
nothing seems to be happening.
"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
news:%23ZJ6eu7aGHA.508@xxxxxxxxxxxxxxxxxxxxxxx
I man, you have to "deploy" this as startup script using Group Policy.

--
Mike
Microsoft MVP - Windows Security

"RedPenguin" <redpenguin@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:12578jqj9mkg6fb@xxxxxxxxxxxxxxxxxxxxx
But then we are startup scripts? Or do you mean add to each and every
machine, that kinda startup script?
"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
news:eZumSO2aGHA.1536@xxxxxxxxxxxxxxxxxxxxxxx
In this case you can still use Group Policy but in this case you can
use _startup_ script (_not_ logon script) to add e.g. Help Desk group
to local Administrator group on all the computers. The script that
you can use looks like this

net localgroup Administrators domain\HelpDesk /add

domain in above command is netbios name of your domain.

This way HelpDesk will only be added -- without removing any other
groups.

--
Mike
Microsoft MVP - Windows Security

"RedPenguin" <redpenguin@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1255jubreasa613@xxxxxxxxxxxxxxxxxxxxx
well here is the problem. That I am not sure about using Broosters
solution.

We have various admin accounts other then administrator
on some of the client machines, and we do not want to
have it remove those, because some are laptops and they
use those accounts when they login at home. Is there anyway to be
able to keep their current admin accounts also?


"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
news:ec6NvGwaGHA.4772@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

Brooster posted a solution to your question.

What I would like to add is a warning against using domain
administrator accounts to logon to user computers.
So simply put -- don't use accounts that have domain administrator
permissions for logging on to client computers. Use these accounts
only for working on domain controllers.
For logging on to client computers create new accounts (e.g.
admin-mike, admin-greg, etc) and add them to a group called e.g.
Help Desk. Now add this group to Local Administrator group by using
solution proposed by Brooster.

--
Mike
Microsoft MVP - Windows Security

"RedPenguin" <redpenguin@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1254qjd2uso6j84@xxxxxxxxxxxxxxxxxxxxx
Ok we recently installed Microsoft Server 2003 Enterprise Edition
on our PC. The whole domain is working and everyone has thier own
login that works. The only thing is, those users do not have local
admin privledges on the PCs they logon to.

We wish to have a handful of users, HelpDesk, that when they login
to any machine, they automatically get admin privledges on the
workstation.

We tried playing with Group Policy Editor but nopthing at all will
work.



















.