Making the current user a local admin - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Making the current user a local admin

Page 1 of 2

1

Topic Options

#28349 - 2002-09-03 10:16 PM Making the current user a local admin
tr6boy tr6boy Starting to like KiXtart Registered: 2001-10-24 Posts: 131	We have some Win2K PCs in a non-secure environment, that we want to make the currently logged-on domain user a member of the local admin group so they can install software without a support call. Is a kix logon script an appropriate way to accomplish this, or does someone have a better solution? Note that I do want to restrict across the network access to the PC, so simply adding Domain Users to local admins isn't an option. I just want whoever is physically at the PC, as long as they can authenticate to the domain, to be a local admin on that PC. Make sense I hope??? Thanks!!
Top

#28350 - 2002-09-03 10:34 PM Re: Making the current user a local admin
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	SO are your wanting to make only one account (the current owner) an Administrator on a Computer, two accounts, or who ever sits down at the computer (Many unknown accounts)? [ 03. September 2002, 22:52: Message edited by: Howard Bullock ] _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28351 - 2002-09-03 10:40 PM Re: Making the current user a local admin
tr6boy tr6boy Starting to like KiXtart Registered: 2001-10-24 Posts: 131	I thought about the fact that eventually you could have a lot of accounts in that group. One option I thought of was to have the script remove all but domain admins from the group, and then add the user back in, each time the script runs. Admittedly, this is kludgy. My first thought was if Win2K had a built-in object called something like "currently logged on user" that dynaically changes as each user logs on, but I can't find anything like that. What do you think?
Top

#28352 - 2002-09-03 10:52 PM Re: Making the current user a local admin
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Not to be TOO rough but, if that is the case where any user can have Admin by logging on, why just create one domain account called "user" and give the account the password "password". I think what you suggest is problemmatic. You are right back to to the "domain admin" group level of access that you did not want to grant. Are your computers shared? Do most of your computers have a single user? How many account? How many computers? What about "Power Users"? _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28353 - 2002-09-03 11:04 PM Re: Making the current user a local admin
tr6boy tr6boy Starting to like KiXtart Registered: 2001-10-24 Posts: 131	Howard, you're quite right - I had the same questions for the people asking me to do this. The issue is that good ole management wants a user to be able to install his own software, but does NOT want a single account that everyone knows that would have \\computer\c$ access to the PC across the network. Power Users won't work, unless I can somehow modify it. Office XP, for example, will not install with Administrator rights (unless you enable Elevated for the Win installer service). But that would only resolve the proble for msi-enabled apps, not legacy apps.
Top

#28354 - 2002-09-03 11:24 PM Re: Making the current user a local admin
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	If it is only Windows 2000/XP, thenyou could create a Kixtart script containing the local admin password that runs at startup and adds the logged in user to the admin group. you then create a second script that removes the suer upon logoff and run that via policies. However, if the computer is nit shut down cleanly, the user will stay int he admin group. Secondly it is easy for that user to make himself a member of the admin group permanently. Personally, I would give those users the local admin password to those computers. It is also not a safe way of doing business but less trouble with the same end result. However, I would only do this if there is absolutely no other way because I wouldn't trust those machines anyway since they are in a non-secure environment. [ 03. September 2002, 23:27: Message edited by: sealeopard ] _________________________ There are two types of vessels, submarines and targets.
Top

#28355 - 2002-09-03 11:25 PM Re: Making the current user a local admin
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Well "Management's" request is just lacking common sense and managerial thought. You don't want userA getting access to userB's C$ share, but you will permit UserA to logon to UserB's PC and be given Admin rights. Get Real. Why not install software for them in a managed methodical way? _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28356 - 2002-09-03 11:50 PM Re: Making the current user a local admin
Mordac85 Mordac85 Fresh Scripter Registered: 2000-02-16 Posts: 34 Loc: Urbana, OH, USA	I have to agree w/Howard and sealeopard, in effect you're circumventing the basic reason for your security. Allowing a user admin rights on a temporary basis is one thing, uncontrolled SW installs will become unmanageable. What is the turn around time for a user to request this from the help desk? I would stress to management that loss of any control over the workstations, and the support headaches that go with it, is what made the help desk and limited number of admins a cost effective solution. _________________________ ~Glenn ============================== Deadlines take their toll. Please have exact change.
Top

#28357 - 2002-09-04 03:48 PM Re: Making the current user a local admin
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	The next question is: How often are they actually installing software? Do they do this on a daily basis? Then what is the reason for those frequent software installs? If they need administrative access to restore their computer then you could make a bootable CD with an image of their harddisk, give them the CD and they can restore the drive in a couple of minutes. PowerQuest's DriveImage has this capability to create a bootable CD to apply the image on the CD automatically. Pop in the CD, wait 10 minutes, and the computer is as new [ 04. September 2002, 16:10: Message edited by: sealeopard ] _________________________ There are two types of vessels, submarines and targets.
Top

#28358 - 2002-09-04 09:09 PM Re: Making the current user a local admin
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11628 Loc: CA	Hey Jens, That bootable cd was a great option in the past, but now days with XP (1.6GB alone) Office XP, IE and Windows patches/updates, Adobe Acrobat Reader, Winzip, SAP, Norton AV, etc.... our images even after compressing are well over 1GB in size. Now maybe bootable DVD...
Top

#28359 - 2002-09-04 09:44 PM Re: Making the current user a local admin
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	DriveImage can split the image onto multiple CDs. Alternatively pulling from a network repository. Or a USB harddrive. Or a USB memory stick. Now, if there would be a way to boot from a USB device or access it under DOS, that would be fun. _________________________ There are two types of vessels, submarines and targets.
Top

#28360 - 2002-09-04 09:51 PM Re: Making the current user a local admin
Anonymous Anonymous Unregistered	sorry but i need to test .... [ 04. September 2002, 21:57: Message edited by: novastar ]
Top

#28361 - 2002-09-04 10:05 PM Re: Making the current user a local admin
MightyR1 MightyR1 MM club member Registered: 1999-09-09 Posts: 1264 Loc: The Netherlands	Symantac has Ghost, which is able to make an image of a PC too. It has much more features like Multicasting images too several workstations which are booted from a floppy with network drivers. You can also put a special partition on a workstation from which the user can boot a Ghost-client OS. An administrator can then take control of the workstation and push an image to it Take a look at Symantec Ghost™ Corporate Edition 7.5 _________________________ Greetz, Patrick Rutten - We'll either find a way or make one... - Knowledge is power; knowing how to find it is more powerful... - Problems don't exist; they are challenges...
Top

#28362 - 2002-09-05 07:45 PM Re: Making the current user a local admin
tr6boy tr6boy Starting to like KiXtart Registered: 2001-10-24 Posts: 131	Thanks to all for your comments - you're preaching to the choir. I wish they just would have left all the PCs Windows 98 in the field :-( Remote software installs won't work - all 200 WAN sites are 56K frame. Calling in as needed won't work - >10,000 employees potentially calling in. Making the individual user an Admin before they receive their PC from corporate won't work - too much turnover. Firing the support services director - now there's a thought! Thx anyway...I need to go take a drive in a car built before PCs. tr6boy
Top

#28363 - 2002-09-05 08:07 PM Re: Making the current user a local admin
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	What is the difference in making the user part of the admin group before they receive the PC and making him a member of the local admin group while they are logged in? It's the same end result, they are members of the local admin group. Whether they are removed upon logoff or not doesn't really matter at that point. _________________________ There are two types of vessels, submarines and targets.
Top

#28364 - 2002-09-05 10:52 PM Re: Making the current user a local admin
tr6boy tr6boy Starting to like KiXtart Registered: 2001-10-24 Posts: 131	The difference is I have to know the user ahead of time if I want to configure it before it goes out. I don't usually have that information for a new remote user. Sometimes when the PC is requested, they aren't even hired yet. The other method is dynamic. I understand that the security (or lack thereof) is the same. And the only reason it matters to me that they are removed later is so I don't have more than one user in the admins group.
Top

#28365 - 2002-09-05 11:06 PM Re: Making the current user a local admin
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	If I understand it correctly, then the user that is logging in is a domain user, right? Now, if the 'Domain Users' group is part of the local 'Administrators' group, then a new employee will automatically receive the local administrator rights on the computer as long as he's a member of the 'Domain Users' group. When the employee leaves, just delete/disable the account and you're done. Now, whether you have only one user in the admin group while he's logged in or the domain users group as a fixed adminstrator group doesn't really matter since you are creating the same low security and a knowledgeable user will circumvent it anyway within minutes. however, if you still want ot do it the dynamic way, then you will need to utilize either SU.EXE or the Task Scheduler in combination with an encrypted and/or compressed/executabled script to hide the password. There are a couple of examples posted on this BBS. _________________________ There are two types of vessels, submarines and targets.
Top

#28366 - 2002-09-05 11:18 PM Re: Making the current user a local admin
tr6boy tr6boy Starting to like KiXtart Registered: 2001-10-24 Posts: 131	Correct - just one thing, which is what started me down this whole path. If I configure Domain Users to be a member of Administrators, all domain users would have ACROSS THE NETWORK administrative access to the PC (\\computer\c$). This is what they don't want. Management is willing to accept that because of the physical security on the building, that anyone who can SIT at the PC is OK to be an Admin for that PC and that session, but they don't want anyone on the network to be able to browse any PC at other locations. Stupid, I know...but I do genuinely appreciate everyone's thoughts on this.
Top

#28367 - 2002-09-05 11:37 PM Re: Making the current user a local admin
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	How do you monitor that a user doesn't add himself to the administrators group permanently? Also, how do you ensure that the user is removed correctly upon logoff or in case the computer crashes/looses power/is switched off without a logoff script running? Anyway, it's definitely doable. _________________________ There are two types of vessels, submarines and targets.
Top

#28368 - 2002-09-06 12:07 AM Re: Making the current user a local admin
MightyR1 MightyR1 MM club member Registered: 1999-09-09 Posts: 1264 Loc: The Netherlands	Guys, what about this scenario: Make sure the SUSS service is installed A user logs on with normal user rights The logonscript generates a random password and sets an environment variable SU_PASSWORD with the generated password. With the password.exe tool from MCA's site, in the logonscript the local administrator password is set to the generated password. If a user needs to install sofware you could write a script which asks for the setup command This install script starts SU.exe program with the administrator as user and the entered setup command. A problem with this scenario is network access. This can be solved by allowing Null session shares. his scenario allows a user to install software and still have a somewhat secure environment.... _________________________ Greetz, Patrick Rutten - We'll either find a way or make one... - Knowledge is power; knowing how to find it is more powerful... - Problems don't exist; they are challenges...
Top

Page 1 of 2

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Who's Online

1 registered (Allen) and 1198 anonymous users online.

Newest Members

M_Moore, BeeEm, min_seow, Audio, Hoschi
17883 Registered Users

Generated in 0.11 seconds in which 0.045 seconds were spent on a total of 13 queries. Zlib compression enabled.

click tracking