Add the loged in user to the local admin group during logon proces

TheMSsForum.com: The Microsoft Software Forum

I have windows 2003 AD domain native mode.

I would like to add the loged in user to the local admin group during the
logon process. In other words whoever logs to his/her workstation should
automaticaly be added to the local admin on that workstation.

I have something like this but it is not working for me(it errors in th line
7):

Const ADS_SECURE_AUTHENTICATION = &H1
Set oNet = CreateObject("WScript.Network")
strGroup = "WinNT://" & oNet.ComputerName & "/Administrators,Group"

' BEGIN CALLOUT A
Set oProvider = GetObject("WinNT:")
Set oGroup = oProvider.OpenDSObject(strGroup, _
oNet.ComputerName & "\Administrator", _
"Password", ADS_SECURE_AUTHENTICATION)
' END CALLOUT A

oGroup.Add "WinNT://" & oNet.UserDomain & "/" & oNet.UserName

I would like to drop the vb script in the netlogon share so everyone who
logs in gets into the local admin group on that PC.

Can somone help PLEASE.

Pluto
Top

Re: Add the loged in user to the local admin group during logon proces by VS

VS
Thu Nov 09 17:38:12 CST 2006

Pluto wrote:
> I have windows 2003 AD domain native mode.
>
> I would like to add the loged in user to the local admin group during the
> logon process. In other words whoever logs to his/her workstation should
> automaticaly be added to the local admin on that workstation.

I can't imagine why would you want everyone to have local admin access !

How is a process that runs with user access privileges ever going to do
something that requires administrative access in the first place !

If you really must have this then as an Administrator add the 'Domain
Users' group to the local Admin group on each client.

--
VS
Top

Re: Add the loged in user to the local admin group during logon pr by Pluto

Pluto
Fri Nov 10 03:17:01 CST 2006

Hi VS,

Thasnk for your response.

The problem I have is that Doamin Users ARE part of the local admin, which
is BIG whole. This was something my predecessor implemented because one of
the applications running on the users desktop requires local admin. The whole
point is to restrict that by adding only owners of that workstation to the
local admin group. Btw, users only logginto their own workstaion so there is
no risk to haev soembody logging to someone else workstation.

Any help would be greatly appreciated.

PLuto


"VS" wrote:

> Pluto wrote:
> > I have windows 2003 AD domain native mode.
> >
> > I would like to add the loged in user to the local admin group during the
> > logon process. In other words whoever logs to his/her workstation should
> > automaticaly be added to the local admin on that workstation.
>
> I can't imagine why would you want everyone to have local admin access !
>
> How is a process that runs with user access privileges ever going to do
> something that requires administrative access in the first place !
>
> If you really must have this then as an Administrator add the 'Domain
> Users' group to the local Admin group on each client.
>
> --
> VS
>
Top

Re: Add the loged in user to the local admin group during logon pr by VS

VS
Fri Nov 10 16:39:50 CST 2006

Pluto wrote:
> The problem I have is that Doamin Users ARE part of the local admin, which
> is BIG whole. This was something my predecessor implemented because one of
> the applications running on the users desktop requires local admin. The whole
> point is to restrict that by adding only owners of that workstation to the
> local admin group. Btw, users only logginto their own workstaion so there is
> no risk to haev soembody logging to someone else workstation.

If it's just one workstation and very limited number of known users then
why not just add them manually to that workstations local administrators
group.

If the same application is on several workstations, and/or the people
requiring access change more than a few times a year, or if there are a
large number of users - then better still is to create another Domain
group with a suitable name, add the appropriate users to that group then
add the group the local admins group. This way you only need to change
the membership of the group when a new account is created or when
someone else needs access.

I'd probably give the group a name that matches the application (i.e:
ABCD App Users) and perhaps change the access permissions for the
applications folder/files (on the workstation) so that only members of
that group are even allowed access to the application (and even the
start menu items for the application if you want to go that far).

I work for a large organisation that uses this technique to restrict
access to almost every available locally installed application (as well
as served applications), as that then provides some control over how
many users have access and hence how many licences are required for each
application.

--
VS
Top

Re: Add the loged in user to the local admin group during logon pr by billy

billy
Sun Nov 12 20:18:47 CST 2006

for windows xp and 2003, there is a special account called
"interactive" that is short hand for "the account that is physically
sitting at my keyboard".

go to the local group "Administrators" and add the local special
account "Interactive"

Top