Best way to get WS Admin Rights

[Dave Clark]

What is the best way to assign a DOMAIN USER local
administrative rights (or power user) to a workstation?
May need to do this on a LARGE scale at multiple
locations, so doing it manually (by adding the domain
group to the local group) isn't a good option.

 

[Dave Clark]

I have read a few articles that talk about:
-net localgroup
-cusrmgr.exe

But all of these need admin rights to run, or a machine
name....I need to make this happen on 15,000
workstations. Each one will need to be added to the
domain naturally, so they will get touched, but I would
liek something in place so it would be automatic and not
rely on "human" intervention to add the domain group to
the local one.

 

[Hasse Edqvist]

Hi!

Have you tried using a VBScript run with SU? If you generally trust your
network to be safe from eavesdropping you could use SU.exe from the W2k
Resourcekit to run the VBScript under an administrators context.

Rgds,
Hasse

 

[Philo]

As long as you aren't referring to NT4.0 workstations,
the best way to do this is via a restricted groups
definition within the computer section of a group policy
object.

Be wary that when the workstation recieves this policy,
it not only applies the groups that you have specified
into the local admins group, it will also remove any
groups or users that you did not specify that exist there
at the time of hte application of policy. This may not be
a big deal if you are adding "domain users".

Also, make certain that this policy does not apply to
your domain controllers OU. Since the dc does not have a
local administrators group, it will add the group you
specified into the global group "administrators".

With these 2 caviats in mind you should be able to do
this pretty easily.