Add User Local Group?

[Ben Blackmore]

Hi,

I'd like to add a user to a machines local administrator group, either via
group policy or a logon script. I found the following script on the net,
however it doesn't seem to work: -

Dim DomainName Dim UserAccount Set net =
WScript.CreateObject("WScript.Network") local = net.ComputerName DomainName
= "MyDomain" UserAccount = "UserAccount" set group = GetObject("WinNT://"&
local &"/Administrators") on error resume next group.Add "WinNT://"&
DomainName &"/"& UserAccount &"" CheckError sub CheckError if not
err.number=0 then set ole = CreateObject("ole.err") MsgBox
ole.oleError(err.Number), vbCritical err.clear else MsgBox "Done." end if
end sub

Can anyone see why its not working, or think of another way to add a user to
a local group. Ideally I'd like to be able to add %username% to any group,
so I don't have to keep changing the username by hand, it will just pick up
the current user who is logging on!

Cheers

Ben

 

[Chriss3]

Hello Ben, You can use Restricted Groups under Security Setting, Under
Windows Settings, in the computer configuration part.

 

[Ben Blackmore]

Found the following script which works better, however if the user is not an
admin, it errors with 'General access denied error'. Is there anyway to
supply the local administrator username & password to allow the script to
add a local user?

strDomainUser = "WinNT://MyDomain/UserName,user"

Set objDomainUser = GetObject(strDomainUser)

Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")

If Not objLocalGroup.IsMember(objDomainUser.AdsPath) Then
objLocalGroup.Add(objDomainUser.AdsPath)
End If

 

[Chriss3]

Ben no since a logon script runs under the logged in users context. Startup
scripts runs under local system, but you can't get the username because no
user are logged in during the startup process. One way I to sync an domain
group with the local group during startup within a startup script.

 

[Cary Shultz [A.D. MVP]]

Ben,

I would go with the GPO 'Restricted Groups' that Chris suggested. It is a
really good way to do this...

HTH,

Cary

 

[Oli Restorick [MVP]]

Ben,

In addition to what the others have said, if you add "interactive" to the
local administrators group, then any user who is normally able to log in at
the console will be an administrator of that machine.

Hope this helps

Oli

 

[Richard Mueller [MVP]]

Hi,

You could run the script you posted as a startup script, but add a domain
group instead of a user to the local Administrators group. As you noted, a
startup script runs before any user logs on. However, using a domain group
means that you can manage group membership at any time without touching the
machines further (once the domain group is added to the local Administrators
group on each machine). If your intention is to make everyone a local admin
without exception, you could even use the group "Domain Users", which by
default all domain users belong to.

Note, this is how domain administrators get admin privileges on all local
machines. When a computer joins a domain, the group "Domain Admins" is made
a member of the local Administrators group. To me, this make more sense than
adding every user individually to the group. I've seem computers used by
hundreds of users.

 

[Ben Blackmore]

Hi Chris,

Thanks for the help, the restricted groups sounds like a good idea. I'm just
looking at it now.

I've selected our 'Computer OU' and gone into the policy, then security >
restricted groups, added 'Domain Users' however, when I then right click on
the group, and click 'security' to configure membership, it says '<This
group should contain no members>' under the 'Members of this group' section.
Should this not list all members that are part of the Domain Users group? Or
do I have to add them manually?

Many Thanks

Ben

 

[Ben Blackmore]

Something else I've just noticed is that when add a new restricted group, I
click browse to see the groups, select our domain, but it doesn't have any
of our groups in there, only the standard AD groups, i.e. Domain Admins,
Domain Users, Enterprise Admins etc We have groups for each of our
departments, i.e. accounts group, warehouse group, marketing group.
Looking at this, it would not be possible to add the accounts group to their
workstations, we'd have to add all Domain Users, which may present a problem
if the group only wants their department to have the local administrator
access.

Cheers

Ben

 

[Torgeir Bakken \(MVP\)]

Thanks for the help, the restricted groups sounds like a good idea. I'm just
looking at it now.

I've selected our 'Computer OU' and gone into the policy, then security >
restricted groups, added 'Domain Users' however,

Hi

We add "NT Authority\Interactive" in the local Administrators group
to let all domain users automatically be local admins when they log
on to a computer interactively.

This is more secure than adding "Authenticated Domain users ",
"Domain Users" or "NT AUTHORITY\Authenticated Users" because you
avoid the issue with cross network admin rights (remote access)
that these groups introduces.