Making the current user a local admin - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Making the current user a local admin

Page 2 of 2

2

Topic Options

#28369 - 2002-09-06 03:43 PM Re: Making the current user a local admin
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	Hmm, got another idea. Not sure whether it works or not but we'll see. Idea 1: Create a new link to the Windows Explorer and set the 'Run As' property in the link properties to the local administrator. My hope is that all executables launched from within the newly linked Explorer will inherit the Explorer admin credentials. Idea 2: Redirect the shell for users. As you might be aware, the default shell for users is explorer.exe whioch can be redirected to e.g. the command prompt or Winword, or anyy other program. So, the idea is to redirect the shell to a program that launches the actual Explorer executable under the local administrative account. Maybe you could even integrate Idea 1 into Idea 2 or use a batch file that starts the Explorer under an administrative account with SU.EXE. See http://support.microsoft.com/default.aspx?scid=KB;EN-US;q143164& and http://www.windows2000faq.com/Articles/Index.cfm?ArticleID=14827 for the registry keys involved. _________________________ There are two types of vessels, submarines and targets.
Top

#28370 - 2002-09-06 09:07 PM Re: Making the current user a local admin
MightyR1 MightyR1 MM club member Registered: 1999-09-09 Posts: 1264 Loc: The Netherlands	Jens, I like your first idea. The problem is that the admin password on all machines has to be identical... Next week I'll try it at work _________________________ Greetz, Patrick Rutten - We'll either find a way or make one... - Knowledge is power; knowing how to find it is more powerful... - Problems don't exist; they are challenges...
Top

#28371 - 2002-09-06 09:19 PM Re: Making the current user a local admin
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	Not necessarily since you do have to enter the admin password during the setup of that link. Once it has entered you don't need to care about it anymore. You can also create a special local user with administrative rights for this purpose. _________________________ There are two types of vessels, submarines and targets.
Top

#28372 - 2002-09-06 09:29 PM Re: Making the current user a local admin
MightyR1 MightyR1 MM club member Registered: 1999-09-09 Posts: 1264 Loc: The Netherlands	Jens, I can agree with that, but what if you have > 10 PCs which require this solution? Then you'd want to set it up in a logon script, well I would... Hmmm, maybe a mix of both our solutions? BTW Almost everyone is back on the board now. Shall we play GOLF? _________________________ Greetz, Patrick Rutten - We'll either find a way or make one... - Knowledge is power; knowing how to find it is more powerful... - Problems don't exist; they are challenges...
Top

#28373 - 2002-09-06 09:36 PM Re: Making the current user a local admin
BrianTX BrianTX Korg Regular Registered: 2002-04-01 Posts: 895	I like this idea (which includes some from other ideas): 1. Create a global account. 2. Add the global account to the local administrators group (on the ghost image, perhaps?) 3. Add to logon scripts to remove local admin rights from all network accounts but Domain Admins after a set period of time after the install date (assuming you use sysprep prior to your image) (1 to 7 days?) Brian
Top

#28374 - 2002-09-07 11:29 PM Re: Making the current user a local admin
Mordac85 Mordac85 Fresh Scripter Registered: 2000-02-16 Posts: 34 Loc: Urbana, OH, USA	What about using PSExec fm Sysinternals ? Not a lot of fuss and muss and easily incorporated into any script. However, if you have >10K users in 200 sites all running 56K frame, what is the difference if they pull it across the wire or you pushing it? If you don't have a local distro source it's going to take a while anyway. And this way you're not creating any overly complicated group structures. If you have a rollout for anything affecting such a large number of users I would be manipulating their groups, or create a new one for the rollout, and handle the distro w/a CD or DVD and a specific script for the effort. For onesie/twosie installs the more secure method would be to push it out as needed. But then again I don't have enough info to tell what you're trying to get installed and on what kind of scale or your distribution method. Large projects are a lot different than individual, daily support. _________________________ ~Glenn ============================== Deadlines take their toll. Please have exact change.
Top

#28375 - 2002-11-23 12:48 AM Re: Making the current user a local admin
BrianK BrianK Getting the hang of it Registered: 2002-10-02 Posts: 90 Loc: Amsterdam, The Netherlands	Hi all, Regardless the question if it is wise to give your user "Local Admin" rights, by adding the Current User to the Administrators group, the question still remains; is it possible to do this with a kix script? If so... what does it look like? :-) Thanks, Brian _________________________ Rodney Dangerfield: “My mother didn't breast-feed me. She said she liked me as a friend.”
Top

#28376 - 2002-11-22 03:42 PM Re: Making the current user a local admin
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	code: $username='johndoe' shell '%comspec% /c NET LOCALGROUP ADMINISTRATORS /ADD '+$username This must be executed under an account that has the right to add users to local groups (e.g. an administrative account). It might be easier to add the 'Domain Users' group to the local 'Administrators' group. Then you don't have to update your local computers all the time when you add/delete domain users. BTW, search for 'net localgroup' to retrieve threads discussing this. _________________________ There are two types of vessels, submarines and targets.
Top

#28377 - 2002-11-25 04:08 PM Re: Making the current user a local admin
BrianK BrianK Getting the hang of it Registered: 2002-10-02 Posts: 90 Loc: Amsterdam, The Netherlands	Is there any way to add the Domain Users to the local Administrators remotly through a script or with some sort of tool, without someone having to log on with local Admin rights? B. _________________________ Rodney Dangerfield: “My mother didn't breast-feed me. She said she liked me as a friend.”
Top

#28378 - 2002-11-25 04:11 PM Re: Making the current user a local admin
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Absolutely Check out GrpMaint.exe on my web site. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28379 - 2002-11-25 04:12 PM Re: Making the current user a local admin
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	If you want to code it yourself using ADSI and KiXtart let us know. [ 25. November 2002, 16:12: Message edited by: Howard Bullock ] _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28380 - 2002-11-25 04:15 PM Re: Making the current user a local admin
BrianK BrianK Getting the hang of it Registered: 2002-10-02 Posts: 90 Loc: Amsterdam, The Netherlands	I'll check out your tool first, Howard, thanks! Brian _________________________ Rodney Dangerfield: “My mother didn't breast-feed me. She said she liked me as a friend.”
Top

#28381 - 2002-11-25 04:35 PM Re: Making the current user a local admin
BrianK BrianK Getting the hang of it Registered: 2002-10-02 Posts: 90 Loc: Amsterdam, The Netherlands	Howard, if I want to add the Domain Admins to a local Administrators, using your GrpMaint.exe, would this be the correct syntax?: GrpMaint.exe --Add DOMAIN\Domain Users WORKSTATION\Administrators B. _________________________ Rodney Dangerfield: “My mother didn't breast-feed me. She said she liked me as a friend.”
Top

#28382 - 2002-11-27 12:04 AM Re: Making the current user a local admin
JSchroeder JSchroeder Fresh Scripter Registered: 2002-06-24 Posts: 11	I have programmed a Server-Client Version for the Problem you are writing about. First we have to get a List of Netbios-Names which have been logged on the Domain. Add following script into the netlogon : quote: If @inwin="1" If Open(3,"\\srv0017\logs$\needlocal.log",5)=0 $x=WriteLine( 3,@WKSTA+Chr(13)+Chr(10) ) Close(3) Else Beep ? "konnte Log-Datei auf SRV0017 nicht öffnen" EndIf EndIf SRV0017 is my "logging"-Server .... Then choose a Workstation which is doing a Batch-Job analysing the Log-File and doing a psexec on each remote Station : quote: BREAK ON ;? "Checking Log-File" IF Open(3, "\\srv0017\logs$\NEEDlocal.log")=0 $X= ReadLine(3) While @ERROR=0 ? "WS-Nummer gelesen : "+$x $go="psexec \\"+$x+" -u domain01\administrator -p password NET LOCALGROUP administratoren locadmin /ADD" run $go sleep 5 $go="psexec \\"+$x+" -u domain01\administrator -p password NET LOCALGROUP hauptbenutzer domänen-benutzer /ADD" run $go sleep 5 $X= ReadLine(3) LOOP WHILE CLOSE (3)><0 BEEP ? "ERROR CLOSING FILE" Sleep 3 LOOP del "\\srv0017\logs$\needlocal.log" ? "Liste wird in 5 Minuten erneut bearbeitet ..." ELSE ;? "Kann Log-Datei nicht öffnen - Keine Einträge vorhanden" ? "Liste wird in 5 Minuten erneut bearbeitet ..." ENDIF sleep 100 Goto starte I created a global Group "locadmin" with all Persons who are allowed to have local admin rights (e.g. HelpDesk-Users). Then the Batch-File adds this global group to the local admin group, second "benutzer" from Domain are added to local hauptbenutzer (must be something like Mainuser and user in english ...8) )... Script works perfekt in a 2000 Client Domain. PSEXEC can be found with google. Hope this is usefull .... Greetings J.Schröder [ 26. November 2002, 12:08: Message edited by: JSchroeder ]
Top

#28383 - 2002-11-26 02:38 PM Re: Making the current user a local admin
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	To add the "domain\domain admins" group to the local administrators group on a remote workstation: code: grpmaint.exe --add --sam \\computername --name administrators --member "domainname\domain admins" to remove the group member: code: grpmaint.exe --remove --sam \\computername --name administrators --member "domainname\domain admins" You can also feed the program a list of computers. Substitute --SrvFile Filename for --sam \\computername In the file list: quote: \\computer1 \\computer2 \\computer3 [ 26. November 2002, 14:42: Message edited by: Howard Bullock ] _________________________ Home page: http://www.kixhelp.com/hb/
Top

#28384 - 2002-11-27 01:47 PM Re: Making the current user a local admin
BrianK BrianK Getting the hang of it Registered: 2002-10-02 Posts: 90 Loc: Amsterdam, The Netherlands	Thanks Joern, but i think 'll try Hwoards option. Thanks Howard. Brian _________________________ Rodney Dangerfield: “My mother didn't breast-feed me. She said she liked me as a friend.”
Top

Page 2 of 2

2

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Who's Online

1 registered (Allen) and 1198 anonymous users online.

Newest Members

M_Moore, BeeEm, min_seow, Audio, Hoschi
17883 Registered Users

Generated in 0.17 seconds in which 0.135 seconds were spent on a total of 13 queries. Zlib compression enabled.

click tracking