With that caveat, future methods could use what I suggested in some of these posts with having two scripts. The computer script which adds interactive, and the logon script that removes it and adds the first interactive logged on user or some variant on that if you want it to ignore certain admin users when they are building the machine.
-----Original Message----- From: deji Agba [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 6:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin I had to go back and read the thread again, including my original post. I thought I indicated that we discounted the interactive user because we want the owner to be the admin, not just anyone who passes by :) Apparently I did not mention that. There goes my bragging rights. Oh, well...... Like I said, this is all now just an exercise in curiousity. We have since done it the old-school way - sneakernet. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _____ From: [EMAIL PROTECTED] on behalf of Joe Sent: Wed 7/30/2003 2:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin Deji, did you read my post by any chance? <grin> "Assuming only the user him/herself would use the machine the first thing off the top of my head would be to have a startup script for the machine that did a net localgroup interactive /add" That would run as localsystem, no worries about determining who the person is, only dependent on whether or not only one person is using the laptop. Otherwise the only option is some sort of advanced script which has to make some other assumptions or a script that reads a table. -----Original Message----- From: deji Agba [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 1:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin Making users admins on their "personal" computers is not at all appealing. But beauty and appeals were not of great importance at the time. Remember, it was a Management top-down mandate that had to be met as long as you want the paychecks to keep coming :) The idea of the startup script was exhaustively investigated and abandon due to the fact that the name of the Laptop owner is unknown, so you don't know whom exactly you will be adding to the group. So, I could script a query for the currently logged-on user and try to pass that as a parameter to the main script, but of course that won't work because IF the user already logs in, then the script won't be a startup script anymore, and the script would then be executing in the context of the currently logged-on user, who does not have the privilege to add him/herself to the admin group - otherwise there would be no need for a script in the first place. <bragging rights> Finally found an interesting puzzle that will likely stump Joe :) </bragging rights> Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _____ From: [EMAIL PROTECTED] on behalf of Joe Sent: Wed 7/30/2003 4:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin Restricted groups can be great, say you want to keep schema admins empty all of the time, you set the policy with no one in it and wham it is empty, then someone has to know to add themselves to the policy and to the group, not many hackers would think of that. Ditto but for setting specific members for enterprise admins, domain admins, domain controller admins, etc or if you want very specific admins for all machines on the network. Your particular issue is an interesting one. Assuming only the user him/herself would use the machine the first thing off the top of my head would be to have a startup script for the machine that did a net localgroup interactive /add That doesn't really appeal to the security side of me and really relies on physical security so no one else from the domain could log on to the machine or no bad local regular user accounts existed. Really though I don't recommend users being admins of their machines, usually your TCO goes way up when you do that. Other alternative would be some sort of perl script to do the job with a mapping file... I.E. Who's PC, who gets admins... etc. -----Original Message----- From: deji Agba [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 2:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin While it is true that the Restricted Group will wipe out the existing members (I still don't understand the practical necessity of this group) and while it is true that you can indeed add a "KNOWN" user/group to any Local group on any domain member using startup/shutdown machine option in GPO, I have a slightly different take on this question: A while ago, I was faced with the unenviable task of making EVERY Laptop user a local admin on his/her Laptop. Yes, we now do this during initial installation of the Laptops. But at the time of this Management request, there were about 650 Laptops in production and they were mostly connected to the domain at least twice a week. Given the fact that I had no way of telling who owns which Laptop or when that person will be connecting to the Domain, I had to fess up to Management that I had no means of accomplishing this task. So, which brings me to the question - how would you guys have tackled this problem, NATIVELY? It's not a quiz, and, no, there's is no beer reward in it ;) It's just for my own education, just in case..... Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _____ From: [EMAIL PROTECTED] on behalf of Ayers, Diane Sent: Tue 7/29/2003 9:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin Doink... Your right. I think my hard drive read/write head was stuck on restricted groups... Diane -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2003 7:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin You can do it with a computer start up script GPO option that executes a simple net localgroup command; it will work fine because that script executes as local system. The restricted groups GPO option will definitely overwrite though. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Tuesday, July 29, 2003 9:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin IIRC, the GPO method will over-write the existing membership rather than add the desired member(s). Diane -----Original Message----- From: Kevin Miller [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2003 10:21 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Local Admin you can do that with the GPO ----- Original Message ----- From: "Bond, Simon" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 29, 2003 9:30 AM Subject: RE: [ActiveDir] Local Admin > I'd be inclined to run a script on all workstations (perhaps via an > SMS job > or suchlike) which simply included the following: > > net localgroup "Administrators" {domain\group here} /add > > Eg. To add a group such as "ExchangeAdmins" in the "IT" domain to the local > admins group: > > NET LOCALGROUP "Administrators" IT\ExchangeAdmins /add > > > > > -----Original Message----- > From: Kevin Gent [mailto:[EMAIL PROTECTED] > Sent: 25 July 2003 19:49 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Local Admin > > > How do I add a domain user to the Local station's Administrators Group > across a large population of XP Pro/2000 Pro workstations ? > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > This e-mail and all attachments are confidential and may be > privileged. If you have received this e-mail in error, notify the sender immediately. Do not use, disseminate, store or copy it in any way. Statements or opinions in this e-mail or any attachment are those of the author and are not necessarily agreed or authorised by News International (NI). NI Group may monitor emails sent or received for operational or business reasons as permitted by law. NI Group accepts no liability for viruses introduced by this e-mail or attachments. You should employ virus checking software. News International Limited, 1 Virginia St, London E98 1XY, is the holding company for the News International group and is registered in England No 81701 > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<attachment: winmail.dat>>
