Announcement

Collapse
No announcement yet.

Add Domain user/group as winXP local Administrator

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Add Domain user/group as winXP local Administrator

    I have more than 400 winXP workstation. And i have Technical Support team to support all these workstaion.
    To gain access to each workstation the Technical Support have to add them self manually to any workstation the login as local administrator.

    I am woundring if there is any way i.e. using GPO were i can add domain user or group as local Administrator.

    Cheers,
    eBe
    eBe75

  • #2
    Re: Add Domain user/group as winXP local Administrator

    You can accomplish this with Restricted Groups;

    Create AD groep: WinXPAdmins (or something like that)
    Create a domia user account: localServiceAccount (or something like that)
    Make that new account member of the new group

    Create a restricted group: Administrators in the GPO for the computers.
    Make the 2 groups: Domain Admins, WinXPAdmins
    member of that restricted group.

    example:
    http://forums.petri.com/showthread.p...omain%20Admins

    (You even could create a Restricted Group called: "Remote Desktop Users" to controll who else may logon to the computer via rdp. In fact by using local-groups as restricted-groups you delete the localy entered users from that group and the members now are fully controlled by GPO)

    \Rem
    Last edited by Rems; 17th March 2007, 20:41.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: Add Domain user/group as winXP local Administrator


      Originally posted by Rems View Post
      Create AD groep:
      Rem, dear. We're in English here, OE doesn't work the same in English !!
      Sorry, no offense, it was just funny to see it.
      Keep up the gr8 work! I might understand your scripts one day

      Sorin Solomon

      »»»»»
      In order to succeed, your desire for success should be greater than your fear of failure.
      -
      «««««

      Comment


      • #4
        Re: Add Domain user/group as winXP local Administrator

        Hey Sorin

        ha, that is a coincidence, just before you sent this message I noticed that I wrote English style on a nonEnglish forum. So it must be my keyboard then.


        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: Add Domain user/group as winXP local Administrator

          I have done what you wrote step by step. Now the user can login remotely using SMS or MSTSC but when it come to installation it ask for Admin user name and password.
          Can you help?
          eBe75

          Comment


          • #6
            Re: Add Domain user/group as winXP local Administrator

            Originally posted by ebe75 View Post
            I have done what you wrote step by step. Now the user can login remotely using SMS or MSTSC but when it come to installation it ask for Admin user name and password.
            Can you help?
            Am I reading this correctly, you want us to supply you with YOUR Administrator username and password?
            1 1 was a racehorse.
            2 2 was 1 2.
            1 1 1 1 race 1 day,
            2 2 1 1 2

            Comment


            • #7
              Re: Add Domain user/group as winXP local Administrator

              No ... No
              you got me worong.
              What I meant after the technical support guy login and try to install a software or application a box will appear ask for user name and password of local machine. When he/she enter there domain user name and password it refuses. And have to enter the local Administrator password and this I don’t want.
              e.g.
              • I have Mark Anthony (Technical Support) have a request to install Nero software
              • Login remotely to xxxx workstation
              • Double click on setup
              • A box Run as Administrator or Domain\MarkAntony

              Hope this is clear
              eBe75

              Comment


              • #8
                Re: Add Domain user/group as winXP local Administrator

                When ,
                - you created the Global group in AD, with a name someting like "WinXPAdmins"
                - you created a Restricted Group in the GPO linked to the workstations, that Restricted group must have the name Administrators.
                - and added the new group "WinXPAdmins" and the default group "Domain Admins" as members to that 'Restricted Group'.

                Then,
                check the local group memberschip on one of the workstations after a reboot of that workstation. To confirm that the members of the local group Administrators are now: Domain Admins and WinXPAdmins. (!?)

                If that is OK, the policy was successfully applied to all the workstation,
                The only thing left to do now, is to make Domain\MarkAntony member of the Global group "WinXPAdmins".


                \Rem

                Alternatively;
                Mark Antony can now also use Runas... the account domain\localServiceAccount <-- if you did made that domainaccount member of the global group WinXPAdmins (see my first post).
                Last edited by Rems; 19th March 2007, 14:50. Reason: RunAs alternative

                This posting is provided "AS IS" with no warranties, and confers no rights.

                __________________

                ** Remember to give credit where credit's due **
                and leave Reputation Points for meaningful posts

                Comment


                • #9
                  Re: Add Domain user/group as winXP local Administrator

                  Is there a way we can do using login script?
                  eBe75

                  Comment


                  • #10
                    Re: Add Domain user/group as winXP local Administrator

                    Where are you referring to, please define your question what exactly is it you want to do by logon script?

                    You do know that logon scripts are processing under the usersaccount's permissions! if you need elevated privileges to, for instance manage local group memberships, then you must use a Computer Policy or use a Startup script, startup scripts are always executed by the systemaccount before the user logon screen appears.
                    Or you could use Runas.exe or psExec in a user logon script instead (search the scripting forum for more information about that option). But the 'runas' option is not realy nesserary for the situation that you descriped earlier. And I would not recommended that option because of security issues.

                    btw
                    did or didn't you succeed in using 'Resticted Groups'?


                    \Rem
                    Last edited by Rems; 24th March 2007, 17:38. Reason: improving my English :)

                    This posting is provided "AS IS" with no warranties, and confers no rights.

                    __________________

                    ** Remember to give credit where credit's due **
                    and leave Reputation Points for meaningful posts

                    Comment


                    • #11
                      Re: Add Domain user/group as winXP local Administrator

                      Frankly didn't work with me?
                      eBe75

                      Comment


                      • #12
                        Re: Add Domain user/group as winXP local Administrator

                        ebe75, I would encourage you to revisit the "proper" way, as per the thread already mentioned, (for convenience: http://forums.petri.com/showthread.p...omain%20Admins ).

                        I went through that thread very carefully and repeated their steps to show some other guys in my company how to do it and it worked perfectly.

                        It really is worth doing it this way as it is the best way.
                        Best wishes,
                        PaulH.
                        MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                        Comment


                        • #13
                          Re: Add Domain user/group as winXP local Administrator

                          Originally posted by ebe75 View Post
                          Frankly didn't work with me?
                          Well just words of franklyness only does not bring you and me any further, does it.
                          What do you want? You want to work on a solution, or just collecting different options, to bring them to your 'cage' and hoping you succeed with one of them? fine by me.

                          The GPO must be linked to the OU with workstationaccounts. Did you checked if the GPO, where you configured Restricted Groups in, is applied correctly to the computer?
                          Otherwise double check for typos in the name of the created Restricted Group it must exactly be "Administrators" (no domain- of computername in front). re-Check the members you added to the Restricted Group, add your account to it and see if it shows up on the worstations after they were rebooted.
                          Did you refer the link with the example I provided? Because it should work.
                          And send screenshots, so we can help you out.

                          But OK your wish... here you can find the script option;
                          - Controlling Local Group Membership by script
                          - How Can I Add a Domain User to a Local Administrators Group by script?
                          - 'Search in Petri'<<=="add to local group"
                          - By startup batch: net localgroup Administrators "DOMAIN\Group" /ADD

                          Let us know how its doing (and what it's not),
                          \Rem

                          EDIT
                          Hi Paul,
                          I did not refreshed my screen, read your post afterwards.
                          And you are right, using 'Restricted Groups' is the best way to handle members of a certain local group

                          (I know starting with restricted groups can be cumbersome, but afterwards you can't hardly understand why it was that difficult)
                          Last edited by Rems; 27th March 2007, 19:03.

                          This posting is provided "AS IS" with no warranties, and confers no rights.

                          __________________

                          ** Remember to give credit where credit's due **
                          and leave Reputation Points for meaningful posts

                          Comment


                          • #14
                            Re: Add Domain user/group as winXP local Administrator

                            Originally posted by Rems View Post
                            (I know starting with restricted groups can be cumbersome, but afterwards you can't hardly understand why it was that difficult)
                            Yes, and I was lucky, because I had your posts and JeremyW's to help from that other thread. Also, ebe75 may like to see how useful gpresult /v can be when trying to troubleshoot GPOs that don't seem to work. There is often useful info at the start so you may wish to use gpresult /v > myfile.txt then read myfile.txt with notepad. Run gpresult on the workstation to see if the policy got filtered out or something. I hope, ebe75, that this helps you to get restrictd groups working by helping to troubleshoot GPOs.
                            Best wishes,
                            PaulH.
                            MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                            Comment

                            Working...
                            X