Announcement

Collapse
No announcement yet.

Dynamic Local Admin on XP clients

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Dynamic Local Admin on XP clients

    We have a win2k3 Domain with winXP clients.
    We want to accomplish the following:

    A user logs on to Workstation A with his Domain account.
    On this WS he is now local admin.
    Not on any other WS he is local admin. When he logs off he is not Local Admin anymore.

    The Next day this person logs on to Workstation B, with the same AD account.
    Now he is Local admin on Workstation B. When he logs off he is not Local Admin anymore.

    This process should be dynamic, no intervention by an Admin.

    The idea behind is that a User should be able to have admin access on the pc he's working on, but cannot access any other workstations drives or other stuff.

    Already looked at some possible solutions, but they way I see it these options are not dynamic.
    http://windows.stanford.edu/Public/I...ocalgroup.html
    http://forums.petri.com/archive/index.php/t-13218.html

  • #2
    Re: Dynamic Local Admin on XP clients

    The only way to achieve this would be a logon and logoff script.

    Logonscript:

    Code:
    @echo off
    
    Net Localgroup administrators %Username% /add
    
    :eof
    Logoffscript:
    Code:
    @Echo off
    
    Net LocalGroup Administrators %Username% /Delete
    
    :eof
    This is something i have put together, i'm sure if you google you will find various of scripts in other languages (Cscript/wscript).

    You can apply these script as a logon/logoff script with group policy, applied to the user object.
    [Powershell]
    Start-DayDream
    Set-Location Malibu Beach
    Get-Drink
    Lay-Back
    Start-Sleep
    ....
    Wake-Up!
    Resume-Service
    Write-Warning
    [/Powershell]

    BLOG: Therealshrimp.blogspot.com

    Comment


    • #3
      Re: Dynamic Local Admin on XP clients

      I think the Logonscript will run under the context of the user logging in.
      If this user does not have admin rights, how can this user add himself to the admins group

      Comment


      • #4
        Re: Dynamic Local Admin on XP clients

        That is correct, but there are some inventive ways to run the scripts by alternate credentials.
        [Powershell]
        Start-DayDream
        Set-Location Malibu Beach
        Get-Drink
        Lay-Back
        Start-Sleep
        ....
        Wake-Up!
        Resume-Service
        Write-Warning
        [/Powershell]

        BLOG: Therealshrimp.blogspot.com

        Comment


        • #5
          Re: Dynamic Local Admin on XP clients

          Yes, I have seen that.
          But want to avoid working like that. So if there is a solution that meets the requirements as layed out in the first post I'd prefer that.

          Comment

          Working...
          X