RE: [ActiveDir] Local Admin

[Raymond McClinnis]

Title: Message

Not that I don’t believe it, I tried it right after he sent it…  I was just marveling in all it’s simplicity J.   I really expected to have to do a lot more than write a 3 to 4 line batch file that’s all.   Thanks for all the help…  Sorry about thread jacking.   Thanks,   Raymond McClinnis - MCSE Network Administrator Provident Credit Union   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 01, 2003 9:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin   Raymond,   Make no mistake - it works quite well.  I have it implemented in a number of GPO based scripts for managing such issues as removing users from local groups.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Friday, August 01, 2003 4:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin Thank You Joe!  Although that seems FAR too easy J   Thanks,   Raymond McClinnis - MCSE Network Administrator Provident Credit Union   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Friday, August 01, 2003 12:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin   You can use either a computer startup script or a logon script. Simply have in the script:   net localgroup administrators "domain users" /delete >nul   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Friday, August 01, 2003 1:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin As I’ve been reading this something else came to mind, is there any to do the opposite…   A majority of newly deployed computers (100 or so) were deployed with DOMAIN USERS in the Local Admins group (Don’t ask, I’m not sure) and now I need to remove them.  Any thought on how I can do this without going to every desktop.  As I don’t want to Hijack this thread, I’ll be happy to take this off line.  Thanks in advance for any help   Thanks,   Raymond McClinnis Network Administrator Provident Credit Union   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, July 31, 2003 8:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin   By default, the Domain Administrator is a recovery agent, not the local admin.  However, even the Domain Administrator can be removed as a recovery agent.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, July 31, 2003 9:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin Not up on EFS as I use PGP but can't the local admin recover the data if he/she/it wants to? And if so, it isn't really very safe.   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, July 30, 2003 7:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin > Means anyone who gets their hands on the machine is pretty much golden.   Yeah, I think I'd subscribe a HEAVY dose of EFS for that company critical data because it's a minute away from being 'not yours anymore'.   :-/   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, July 30, 2003 3:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Local Admin Means anyone who gets their hands on the machine is pretty much golden.     -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -----Original Message----- From: Malcolm Reitz [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 3:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin What about adding the NT Authority\Interactive account to the local Administrators group? That should give the currently logged-on user administrator privileges without having to explicitly name the user in the Administrators group. Malcolm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 12:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin   Making users admins on their "personal" computers is not at all appealing. But beauty and appeals were not of great importance at the time. Remember, it was a Management top-down mandate that had to be met as long as you want the paychecks to keep coming :)   The idea of the startup script was exhaustively investigated and abandon due to the fact that the name of the Laptop owner is unknown, so you don't know whom exactly you will be adding to the group. So, I could script a query for the currently logged-on user and try to pass that as a parameter to the main script, but of course that won't work because IF the user already logs in, then the script won't be a startup script anymore, and the script would then be executing in the context of the currently logged-on user, who does not have the privilege to add him/herself to the admin group - otherwise there would be no need for a script in the first place.   <bragging rights> Finally found an interesting puzzle that will likely stump Joe :) </bragging rights>   Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon   From: [EMAIL PROTECTED] on behalf of Joe Sent: Wed 7/30/2003 4:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin Restricted groups can be great, say you want to keep schema admins empty all of the time, you set the policy with no one in it and wham it is empty, then someone has to know to add themselves to the policy and to the group, not many hackers would think of that. Ditto but for setting specific members for enterprise admins, domain admins, domain controller admins, etc or if you want very specific admins for all machines on the network.   Your particular issue is an interesting one. Assuming only the user him/herself would use the machine the first thing off the top of my head would be to have a startup script for the machine that did a net localgroup interactive /add   That doesn't really appeal to the security side of me and really relies on physical security so no one else from the domain could log on to the machine or no bad local regular user accounts existed. Really though I don't recommend users being admins of their machines, usually your TCO goes way up when you do that.   Other alternative would be some sort of perl script to do the job with a mapping file... I.E. Who's PC, who gets admins... etc.   -----Original Message----- From: deji Agba [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 2:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin While it is true that the Restricted Group will wipe out the existing members (I still don't understand the practical necessity of this group) and while it is true that you can indeed add a "KNOWN" user/group to any Local group on any domain member using startup/shutdown machine option in GPO, I have a slightly different take on this question:   A while ago, I was faced with the unenviable task of making EVERY Laptop user a local admin on his/her Laptop. Yes, we now do this during initial installation of the Laptops. But at the time of this Management request, there were about 650 Laptops in production and they were mostly connected to the domain at least twice a week.   Given the fact that I had no way of telling who owns which Laptop or when that person will be connecting to the Domain, I had to fess up to Management that I had no means of accomplishing this task. So, which brings me to the question - how would you guys have tackled this problem, NATIVELY?   It's not a quiz, and, no, there's is no beer reward in it ;) It's just for my own education, just in case.....     Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon   From: [EMAIL PROTECTED] on behalf of Ayers, Diane Sent: Tue 7/29/2003 9:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin Doink... Your right.  I think my hard drive read/write head was stuck on restricted groups... Diane -----Original Message----- From: Joe [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 29, 2003 7:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin You can do it with a computer start up script GPO option that executes a simple net localgroup command; it will work fine because that script executes as local system. The restricted groups GPO option will definitely overwrite though. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ayers, Diane Sent: Tuesday, July 29, 2003 9:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin IIRC, the GPO method will over-write the existing membership rather than add the desired member(s). Diane -----Original Message----- From: Kevin Miller [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 29, 2003 10:21 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Local Admin you can do that with the GPO ----- Original Message ----- From: "Bond, Simon" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 29, 2003 9:30 AM Subject: RE: [ActiveDir] Local Admin > I'd be inclined to run a script on all workstations (perhaps via an > SMS job > or suchlike) which simply included the following: > > net localgroup "Administrators" {domain\group here} /add > > Eg. To add a group such as "ExchangeAdmins" in the "IT" domain to the local > admins group: > > NET LOCALGROUP "Administrators" IT\ExchangeAdmins /add > > > > > -----Original Message----- > From: Kevin Gent [mailto:[EMAIL PROTECTED]] > Sent: 25 July 2003 19:49 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Local Admin > > > How do I add a domain user to the Local station's Administrators Group > across a large population of XP Pro/2000 Pro workstations ? > > > List info   : http://www.activedir.org/mail_list.htm > List FAQ    : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > This e-mail and all attachments are confidential and may be > privileged. If you have received this e-mail in error, notify the sender immediately. Do not use, disseminate, store or copy it in any way. Statements or opinions in this e-mail or any attachment are those of the author and are not necessarily agreed or authorised by News International (NI). NI Group may monitor emails sent or received for operational or business reasons as permitted by law. NI Group accepts no liability for viruses introduced by this e-mail or attachments. You should employ virus checking software. News International Limited, 1 Virginia St, London E98 1XY, is the holding company for the News International group and is registered in England No 81701 > > > List info   : http://www.activedir.org/mail_list.htm > List FAQ    : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/