Announcement

Collapse
No announcement yet.

Local Admin Rights on per machine

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Local Admin Rights on per machine

    Dear Gurus,

    I was trying to add few users on there local admin group on there particular machines. I did the following:-

    1. on the Marketing OU-Desktops, I create group policy "GP Test" and under the "Restricted Group" I created group "Administrators" under the Members of this Group: i added test1, test2 and test3.

    this works fine but the problem is that all users are now the member of local admin group of each other machine.

    how to add a user in a local admin group to his machine only.

    need your valuable input.

    cheers,

  • #2
    Re: Local Admin Rights on per machine

    don't have an answer for you, but I'd imagine you'd need to somehow create or suggest a link between a user name and their computer name, script perhaps?
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Local Admin Rights on per machine

      The first hit on:

      http://www.google.com/search?hl=en&q...inistrator+gpo

      looks promising:

      http://windows.stanford.edu/Public/I...ocalgroup.html

      It offers a script called AddAdmin.vbs and how to use it via GPO. This script does not appear to be the AddAdmin.vbs found on the ISA Server 2004 SDK CD) .
      Cheers,

      Rick

      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

      2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

      Comment


      • #4
        Re: Local Admin Rights on per machine

        Thankyou.

        cheers,

        Comment


        • #5
          Re: Local Admin Rights on per machine

          Don't thank us yet. Post back with your experiences after you complete the task.
          Cheers,

          Rick

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

          Comment


          • #6
            Re: Local Admin Rights on per machine

            With the following script it is easy to relate users to certain computers and make them local admin of that computer.
            Use the command-line: AddAdmins computer,user
            Add such line for every domainuser involved.

            Code:
            'Add members to the local group Administrators by computername
            '-------------------------------------------------------------
              AddAdmins "computername(x)","domain\username"
              AddAdmins "computername(y)","domain\GlobalGroup"
              AddAdmins "computername(z)","domain\username"
            '<....ect.>
            
            'rest of your script.....
            wscript.Quit
            
            
            '-------------------------------------------------------------
            Function AddAdmins(sComputername,sDomainuser)
              sLocGroup = "Administrators"
             strCommand = "net localgroup "&chr(34)& sLocGroup &chr(34)
                Set objShell = CreateObject("Wscript.Shell")
                Set objEnvironment = objShell.Environment("Process")
              strComputer = objEnvironment("COMPUTERNAME")
                If LCase(strComputer) = LCase(sComputername) then
              objShell.Exec(strCommand &" /ADD "&chr(34)& sDomainuser &chr(34))
                Else
                objShell.Exec(strCommand &" /DELETE "&chr(34)& sDomainuser &chr(34))
                End IF
            End Function
            You can add the 'AddAdmins...'-lines anywhere in your standard Computer-startupscript. The 'function' it self, at the end of this example, you can put that at the end of your standard script, that is the common place to gather subroutines and customized functions in a script.

            ------------------------

            Because of these 2 lines in the function in the above script;
            Code:
                Else
                objShell.Exec(strCommand &" /DELETE "& sDomainuser)
            it will check on every starting computer if the users typed in every AddAdmins-lines are members of it's local administrators group.
            I have added that feature to the function so there is a routine to delete the membership again. (!)
            An otherway to create a possibility to delete members again, is to add 'DELETE' or 'ADD' to the function options;
            Code:
            'Add or Remove members to the local group Administrators by computername
            '-----------------------------------------------------------------------+
              AddAdmins "computername(x)","domain\username","DELETE"
              AddAdmins "computername(y)","domain\GlobalGroup","ADD"
              AddAdmins "computername(z)","domain\username","ADD"
            '<....ect.>
            
            'rest of your script.....
            wscript.Quit
            
            
            '-----------------------------------------------------------------------+
            function AddAdmins(sComputername,sDomainuser,sAction)
             sLocGroup = "Administrators"
             strCommand = "net localgroup "&chr(34)& sLocGroup &chr(34)
              Set objShell = CreateObject("Wscript.Shell")
              Set objEnvironment = objShell.Environment("Process")
             strComputer = objEnvironment("COMPUTERNAME")
              If LCase(strComputer) = LCase(sComputername) then
              objShell.Exec(strCommand &" /"& sAction &" "&chr(34)& sDomainuser &chr(34))
              End IF
            End Function
            ------------------------

            But the risk by managing the localgroups this way is that you can loose controll over the local groups. Because you could easily add an user to the local adminst group and later forget about it.
            So better is not adding individual users as members but nesting Global security Groups instead. That way memberships become visible in 'AD User and Computers'.
            Here is something to try;
            - Make a OU named 'LocalAdminGroups' and add per computer a new group named computername-Admins to that OU.
            - Add the necessary members (domainusers) to these new groups in AD.
            - Now edit a GPO and create 'restricted groups'... but this time named after the newly created domain\groupname.
            - In the memberOf section at these new restricted groups -> add 'computername\Administrators'
            see: RestrictedGroups Approach 2, http://forums.petri.com/showthread.p...2489&page=2#12
            Or - try Approch 1 (like you did before) this time name the restricted groups as computername\administrators. Then add the AD groups as members to the right RestictedGroup (in that case don't forget to add the 'domain admins' group too).
            I dont know for sure if 'computername\Administrators' is working that way, but i think it will. Alternatively you can always create separate GPO's for each computer, and set the GPO-Scope of each GPO to that computer only.

            \Rem
            Last edited by Rems; 6th February 2007, 10:44. Reason: Edit both scripts- now it is possible to nest *GlobalGroups* too

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment

            Working...
            X