making staff local administrators

[RabbieBurns]

Am I being thick here - I cant seem to think of a way to do this.

I want staff to become local administrators of any machine they log into, so that they can have access to installing software on the machine etc.

Is there a builtin group I can add them to? Im not really sure how to go about it. I dont want them to be domain administrators, just to have enough privelages on the local machine to install software..

Is there even maybe a group policy setting I can change?

RB

[FN-GM]

What server OS are you running?

Z

[cookie_monster]

If you use server 2003 use restricted groups to add the staff to the local admins group. I don't envy you though every time we've added staff to local admins it's been a disaster they just can't help but install all manner of rubbish software from all over.

http://www.windowsecurity.com/articl...ed-Groups.html

[RabbieBurns]

yeh its 2003...

thanks cookie_monster that sounds exactly what Im looking for

[cookie_monster]

A couple of important points to remember with restricted groups.

1. To make life simple add all your staff into one group (i'm sure you already have) then specify that.
2. It will remove any groups or users that you don't specify, inc i think the local admin.

So you need to specify in the 'Members of this group' box

administrator (Local admin)
domain\domain admins
domain\staff users (Your staff users)
domain\anyone else you want

[RabbieBurns]

So I would right click on restrcited groups, and then add group called local admins or something, and then make the groups you mentioned above members of the local admins group I just created?

[Chuckster]

I have a vbscript that will give anyone you desire local admin rights upon logging on and at logoff another script that will remove those rights.


Logon

Code:

'continue script if errors are encountered
On Error Resume Next

'get main objects/variables
Set ws    = WScript.CreateObject ( "WScript.Shell" )
compname  = ws.ExpandEnvironmentStrings ( "%COMPUTERNAME%" )
Set adGrp = GetObject ( "WinNT://" & compname & "/Administrators,group" )

'add domain groups to local admin group
adGrp.Add ( "WinNT://everyone,user" )

'handle errors
If (Err.Number <> 0) Then
   strError = "AddAdmins.vbs was unable to add Client Services and Help Center to the local Administrators group."
   strError = strError & vbCrLf & vbCrLf
   strError = strError & "Error #: " & Err.Number & vbCrLf
   strError = strError & "Source: " & Err.Source & vbCrLf
   strError = strError & "Description: " & Err.Description & vbCrLf
   ws.LogEvent 1, strError
Else
   ws.LogEvent 0, "The local Administrators group was successfully updated."
End If

Logoff

Code:

'continue script if errors are encountered
On Error Resume Next

'get main objects/variables
Set ws    = WScript.CreateObject ( "WScript.Shell" )
compname  = ws.ExpandEnvironmentStrings ( "%COMPUTERNAME%" )
Set adGrp = GetObject ( "WinNT://" & compname & "/Administrators,group" )

'add domain groups to local admin group
adGrp.Remove ( "WinNT://everyone,user" )

'handle errors
If (Err.Number <> 0) Then
   strError = "AddAdmins.vbs was unable to add Client Services and Help Center to the local Administrators group."
   strError = strError & vbCrLf & vbCrLf
   strError = strError & "Error #: " & Err.Number & vbCrLf
   strError = strError & "Source: " & Err.Source & vbCrLf
   strError = strError & "Description: " & Err.Description & vbCrLf
   ws.LogEvent 1, strError
Else
   ws.LogEvent 0, "The local Administrators group was successfully updated."
End If

[cookie_monster]

@RabbieBurns: i'm at home now but from memory you call the group 'administrators' as it is on the local pc then add your users and groups in there. Apply a GPO to a test OU then put a client in there to test, took me a bit of fiddling the first time.


@Chuckster: how does that script work does it need to run with admin rights to alter membership of the local admin group?

[RabbieBurns]

CookieMonster: Ive got it set up now.. the test user I tried with let me go into control panel and uninstall stuff so I think it has worked?

Chuckster: Cheers for the scripts, but I think this has worked cookiemonsters way

[cookie_monster]

You can check if you open local users and groups on a client PC and look in the local admins groups you should see all of the groups that you added in group policy.

[RabbieBurns]

Works great.

Thanks.

[jashworth1990]

by the sounds of things you have already solved the problem but i will give you and example of what we do in school, on each machine if you go to control pannel/administrative tool/computer managment/local users and groups/group and at the top you will see administrators, double click on that then select add. you will be able to add any user all readyy registered. hope this helps if the problem is not already solved. please let me know if it does as i am learning I.t. and could do with all the feedback poss thanks

Jay

[Domino]

That would indeed work - but the above methods do not require visiting each machine individually.

Which is good when you're dealing with upwards of 300 machines in most cases

[RabbieBurns]

Quote:

Originally Posted by jashworth1990

by the sounds of things you have already solved the problem but i will give you and example of what we do in school, on each machine if you go to control pannel/administrative tool/computer managment/local users and groups/group and at the top you will see administrators, double click on that then select add. you will be able to add any user all readyy registered. hope this helps if the problem is not already solved. please let me know if it does as i am learning I.t. and could do with all the feedback poss thanks

Jay

Thanks for the comment. What cookiemonsters method does is automatically add the user or group of users to that administrators location, so you don't have to visit each computer.

[jashworth1990]

ahh yes thats a point but we cant do that because soem of our teachers are closet techies and dont acctually know what they aredoing so break there laptop. but yes i know where you aere coming from