WHS: Domain user to make local admin

Anything VBScript-related, including Windows Script Host, WMI, ADSI, and more.
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 14 years and 5 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
User avatar
faisal7977
Posts: 11
Last visit: Mon Dec 07, 2009 3:08 am

WHS: Domain user to make local admin

Post by faisal7977 »

Some "Domain Users" in my company requires administrative privileges when they logon to ANY workstation.
To add these users to the "Administrators" group of the target
workstation, i found the following script and add it to user logon
script. When the script executed, it had no effect but when i executed
this script from local administrators account, it worked.




Dim LocalComputer, UserName, DomainName

LocalComputer = "Workstation1001"
DomainName = "RedSpot"
UserName = "James"

set group = GetObject("WinNT://" & LocalComputer & "/Administrators, group")
group.Add("WinNT://" & DomainName & "/" & UserName)





Lets forget the script for a while. The key point is
No "Domain User" can add himself to the local "Administrators" group.

Is there any way, this script is executed by local Administrator but the logged on account should be normal Domain User account.
User avatar
faisal7977
Posts: 11
Last visit: Mon Dec 07, 2009 3:08 am

WHS: Domain user to make local admin

Post by faisal7977 »

Some "Domain Users" in my company requires administrative privileges when they logon to ANY workstation.
To add these users to the "Administrators" group of the target
workstation, i found the following script and add it to user logon
script. When the script executed, it had no effect but when i executed
this script from local administrators account, it worked.




Dim LocalComputer, UserName, DomainName

LocalComputer = "Workstation1001"
DomainName = "RedSpot"
UserName = "James"

set group = GetObject("WinNT://" & LocalComputer & "/Administrators, group")
group.Add("WinNT://" & DomainName & "/" & UserName)





Lets forget the script for a while. The key point is
No "Domain User" can add himself to the local "Administrators" group.

Is there any way, this script is executed by local Administrator but the logged on account should be normal Domain User account.
User avatar
Gyorgy Nemesmagasi
Posts: 50
Last visit: Wed Mar 16, 2022 12:58 pm

WHS: Domain user to make local admin

Post by Gyorgy Nemesmagasi »

You can use the PrimalScript's Script Packager to create an exe file from your script. This exe file run the script with the pre-defined user account.
User avatar
faisal7977
Posts: 11
Last visit: Mon Dec 07, 2009 3:08 am

WHS: Domain user to make local admin

Post by faisal7977 »

any other solution?
User avatar
faisal7977
Posts: 11
Last visit: Mon Dec 07, 2009 3:08 am

WHS: Domain user to make local admin

Post by faisal7977 »

can i push it through group policy?
User avatar
faisal7977
Posts: 11
Last visit: Mon Dec 07, 2009 3:08 am

WHS: Domain user to make local admin

Post by faisal7977 »

i am member of domain admin so i've no prob. when i logon to any workstation, i can install softwares, modify TCP/IP settings etc.There are two system admins in our company. i dont want them to be a member of domain admins group. but i want them to install software on workstation, join/disjoin domain, change ip settings... admin privilege whenever they logon to any workstion using thier domain account.right now what is happing is these two guys add themself to local admin group by logging on to target workstation and then they logon with their domain account coz there is a application for that users which requires domain account logged on and also admin privileges.got it?
User avatar
Gyorgy Nemesmagasi
Posts: 50
Last visit: Wed Mar 16, 2022 12:58 pm

WHS: Domain user to make local admin

Post by Gyorgy Nemesmagasi »

The only way what the GPO support to run the msi files with admin right but it causes more problems: you need to wrap the script to an msi and all the msi will run with admin.No so good solution.
It's better to add an AD group instead of single users to the Administrators.
- Create group in the AD.
- Add the users who need local admin rights to this group.
- Add this AD group to the local Administrator group on all computers via script.

You can populate the script via SMS, Marimba or other electronic software distribution system - all of them allow running program with a special local amin user. If you don't have this kind of tools and you don't like to use any commercial software to wrap the script you can enumerate the computers time to time and add the missing group via script remotely with a domain admin user.
This topic is 14 years and 5 months old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked