RE: [ActiveDir] Local Admin

Wed, 30 Jul 2003 13:45:56 -0700

Title: Message
What if you use MS's Script Encoder (see http://msdn.microsoft.com/library/default.asp?url="">) to hide the temporary admin password and use "runas"??
 
That way the user could have the script run at startup and it would not have to run in the context of the logged-in user.
 
The giant caveat is the hackability of the encoder.  From MS web page "Note that this encoding only prevents casual viewing of your code; it will not prevent the determined hacker from seeing what you've done and how."
 
Not the best solution but may be "a" solution....
 
-Stuart
 
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, July 30, 2003 11:59 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Local Admin

Making users admins on their "personal" computers is not at all appealing. But beauty and appeals were not of great importance at the time. Remember, it was a Management top-down mandate that had to be met as long as you want the paychecks to keep coming :)
 
The idea of the startup script was exhaustively investigated and abandon due to the fact that the name of the Laptop owner is unknown, so you don't know whom exactly you will be adding to the group. So, I could script a query for the currently logged-on user and try to pass that as a parameter to the main script, but of course that won't work because IF the user already logs in, then the script won't be a startup script anymore, and the script would then be executing in the context of the currently logged-on user, who does not have the privilege to add him/herself to the admin group - otherwise there would be no need for a script in the first place.
 
<bragging rights>
Finally found an interesting puzzle that will likely stump Joe :)
</bragging rights>
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon

From: [EMAIL PROTECTED] on behalf of Joe
Sent: Wed 7/30/2003 4:47 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Local Admin

Restricted groups can be great, say you want to keep schema admins empty all of the time, you set the policy with no one in it and wham it is empty, then someone has to know to add themselves to the policy and to the group, not many hackers would think of that. Ditto but for setting specific members for enterprise admins, domain admins, domain controller admins, etc or if you want very specific admins for all machines on the network.
 
Your particular issue is an interesting one. Assuming only the user him/herself would use the machine the first thing off the top of my head would be to have a startup script for the machine that did a net localgroup interactive /add
 
That doesn't really appeal to the security side of me and really relies on physical security so no one else from the domain could log on to the machine or no bad local regular user accounts existed. Really though I don't recommend users being admins of their machines, usually your TCO goes way up when you do that.
 
Other alternative would be some sort of perl script to do the job with a mapping file... I.E. Who's PC, who gets admins... etc.
 
-----Original Message-----
From: deji Agba [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, July 30, 2003 2:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Local Admin

While it is true that the Restricted Group will wipe out the existing members (I still don't understand the practical necessity of this group) and while it is true that you can indeed add a "KNOWN" user/group to any Local group on any domain member using startup/shutdown machine option in GPO, I have a slightly different take on this question:
 
A while ago, I was faced with the unenviable task of making EVERY Laptop user a local admin on his/her Laptop. Yes, we now do this during initial installation of the Laptops. But at the time of this Management request, there were about 650 Laptops in production and they were mostly connected to the domain at least twice a week.
 
Given the fact that I had no way of telling who owns which Laptop or when that person will be connecting to the Domain, I had to fess up to Management that I had no means of accomplishing this task. So, which brings me to the question - how would you guys have tackled this problem, NATIVELY?
 
It's not a quiz, and, no, there's is no beer reward in it ;) It's just for my own education, just in case.....
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon

From: [EMAIL PROTECTED] on behalf of Ayers, Diane
Sent: Tue 7/29/2003 9:17 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Local Admin

Doink...

Your right.  I think my hard drive read/write head was stuck on restricted groups...

Diane

-----Original Message-----
From: Joe [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 29, 2003 7:25 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Local Admin


You can do it with a computer start up script GPO option that executes a
simple net localgroup command; it will work fine because that script
executes as local system. The restricted groups GPO option will
definitely overwrite though.



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Ayers, Diane
Sent: Tuesday, July 29, 2003 9:03 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Local Admin


IIRC, the GPO method will over-write the existing membership rather than
add the desired member(s).

Diane

-----Original Message-----
From: Kevin Miller [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 29, 2003 10:21 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Local Admin


you can do that with the GPO
----- Original Message -----
From: "Bond, Simon" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 29, 2003 9:30 AM
Subject: RE: [ActiveDir] Local Admin


> I'd be inclined to run a script on all workstations (perhaps via an
> SMS
job
> or suchlike) which simply included the following:
>
> net localgroup "Administrators" {domain\group here} /add
>
> Eg. To add a group such as "ExchangeAdmins" in the "IT" domain to the
local
> admins group:
>
> NET LOCALGROUP "Administrators" IT\ExchangeAdmins /add
>
>
>
>
> -----Original Message-----
> From: Kevin Gent [mailto:[EMAIL PROTECTED]]
> Sent: 25 July 2003 19:49
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Local Admin
>
>
> How do I add a domain user to the Local station's Administrators Group

> across a large population of XP Pro/2000 Pro workstations ?
>
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> This e-mail and all attachments are confidential and may be
> privileged. If
you have received this e-mail in error, notify the sender immediately.
Do not use, disseminate, store or copy it in any way. Statements or
opinions in this e-mail or any attachment are those of the author and
are not necessarily agreed or authorised by News International (NI). NI
Group may monitor emails sent or received for operational or business
reasons as permitted by law. NI Group accepts no liability for viruses
introduced by this e-mail or attachments. You should employ virus
checking software. News International Limited, 1 Virginia St, London E98
1XY, is the holding company for the News International group and is
registered in England No 81701
>
>
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ    : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to