+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 30
How do you do....it? Thread, making staff local administrators in Technical; Am I being thick here - I cant seem to think of a way to do this. I want staff ...
  1. #1

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199

    making staff local administrators

    Am I being thick here - I cant seem to think of a way to do this.

    I want staff to become local administrators of any machine they log into, so that they can have access to installing software on the machine etc.

    Is there a builtin group I can add them to? Im not really sure how to go about it. I dont want them to be domain administrators, just to have enough privelages on the local machine to install software..

    Is there even maybe a group policy setting I can change?

    RB

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,828
    Thank Post
    875
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    What server OS are you running?

    Z

  3. #3
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    If you use server 2003 use restricted groups to add the staff to the local admins group. I don't envy you though every time we've added staff to local admins it's been a disaster they just can't help but install all manner of rubbish software from all over.

    http://www.windowsecurity.com/articl...ed-Groups.html

  4. Thanks to cookie_monster from:

    RabbieBurns (29th August 2008)

  5. #4

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    yeh its 2003...

    thanks cookie_monster that sounds exactly what Im looking for

  6. #5
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    A couple of important points to remember with restricted groups.

    1. To make life simple add all your staff into one group (i'm sure you already have) then specify that.
    2. It will remove any groups or users that you don't specify, inc i think the local admin.

    So you need to specify in the 'Members of this group' box

    administrator (Local admin)
    domain\domain admins
    domain\staff users (Your staff users)
    domain\anyone else you want
    Last edited by cookie_monster; 28th August 2008 at 04:19 PM.

  7. Thanks to cookie_monster from:

    RabbieBurns (29th August 2008)

  8. #6

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    So I would right click on restrcited groups, and then add group called local admins or something, and then make the groups you mentioned above members of the local admins group I just created?
    Last edited by RabbieBurns; 28th August 2008 at 04:30 PM.

  9. #7

    Join Date
    Jun 2008
    Posts
    718
    Thank Post
    119
    Thanked 64 Times in 52 Posts
    Rep Power
    31
    I have a vbscript that will give anyone you desire local admin rights upon logging on and at logoff another script that will remove those rights.


    Logon

    Code:
    'continue script if errors are encountered
    On Error Resume Next
    
    'get main objects/variables
    Set ws    = WScript.CreateObject ( "WScript.Shell" )
    compname  = ws.ExpandEnvironmentStrings ( "%COMPUTERNAME%" )
    Set adGrp = GetObject ( "WinNT://" & compname & "/Administrators,group" )
    
    'add domain groups to local admin group
    adGrp.Add ( "WinNT://everyone,user" )
    
    'handle errors
    If (Err.Number <> 0) Then
       strError = "AddAdmins.vbs was unable to add Client Services and Help Center to the local Administrators group."
       strError = strError & vbCrLf & vbCrLf
       strError = strError & "Error #: " & Err.Number & vbCrLf
       strError = strError & "Source: " & Err.Source & vbCrLf
       strError = strError & "Description: " & Err.Description & vbCrLf
       ws.LogEvent 1, strError
    Else
       ws.LogEvent 0, "The local Administrators group was successfully updated."
    End If



    Logoff



    Code:
    'continue script if errors are encountered
    On Error Resume Next
    
    'get main objects/variables
    Set ws    = WScript.CreateObject ( "WScript.Shell" )
    compname  = ws.ExpandEnvironmentStrings ( "%COMPUTERNAME%" )
    Set adGrp = GetObject ( "WinNT://" & compname & "/Administrators,group" )
    
    'add domain groups to local admin group
    adGrp.Remove ( "WinNT://everyone,user" )
    
    'handle errors
    If (Err.Number <> 0) Then
       strError = "AddAdmins.vbs was unable to add Client Services and Help Center to the local Administrators group."
       strError = strError & vbCrLf & vbCrLf
       strError = strError & "Error #: " & Err.Number & vbCrLf
       strError = strError & "Source: " & Err.Source & vbCrLf
       strError = strError & "Description: " & Err.Description & vbCrLf
       ws.LogEvent 1, strError
    Else
       ws.LogEvent 0, "The local Administrators group was successfully updated."
    End If

  10. #8
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    @RabbieBurns: i'm at home now but from memory you call the group 'administrators' as it is on the local pc then add your users and groups in there. Apply a GPO to a test OU then put a client in there to test, took me a bit of fiddling the first time.


    @Chuckster: how does that script work does it need to run with admin rights to alter membership of the local admin group?

  11. #9

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    CookieMonster: Ive got it set up now.. the test user I tried with let me go into control panel and uninstall stuff so I think it has worked?

    Chuckster: Cheers for the scripts, but I think this has worked cookiemonsters way

  12. #10
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    You can check if you open local users and groups on a client PC and look in the local admins groups you should see all of the groups that you added in group policy.

  13. Thanks to cookie_monster from:

    RabbieBurns (29th August 2008)

  14. #11

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Works great.

    Thanks.

  15. #12

    Join Date
    Aug 2008
    Location
    preston
    Posts
    31
    Thank Post
    10
    Thanked 1 Time in 1 Post
    Rep Power
    0
    by the sounds of things you have already solved the problem but i will give you and example of what we do in school, on each machine if you go to control pannel/administrative tool/computer managment/local users and groups/group and at the top you will see administrators, double click on that then select add. you will be able to add any user all readyy registered. hope this helps if the problem is not already solved. please let me know if it does as i am learning I.t. and could do with all the feedback poss thanks

    Jay

  16. #13

    Domino's Avatar
    Join Date
    Oct 2006
    Location
    Bromley
    Posts
    4,126
    Thank Post
    215
    Thanked 1,255 Times in 786 Posts
    Blog Entries
    4
    Rep Power
    505
    That would indeed work - but the above methods do not require visiting each machine individually.

    Which is good when you're dealing with upwards of 300 machines in most cases

  17. #14

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Quote Originally Posted by jashworth1990 View Post
    by the sounds of things you have already solved the problem but i will give you and example of what we do in school, on each machine if you go to control pannel/administrative tool/computer managment/local users and groups/group and at the top you will see administrators, double click on that then select add. you will be able to add any user all readyy registered. hope this helps if the problem is not already solved. please let me know if it does as i am learning I.t. and could do with all the feedback poss thanks

    Jay
    Thanks for the comment. What cookiemonsters method does is automatically add the user or group of users to that administrators location, so you don't have to visit each computer.

  18. #15

    Join Date
    Aug 2008
    Location
    preston
    Posts
    31
    Thank Post
    10
    Thanked 1 Time in 1 Post
    Rep Power
    0
    ahh yes thats a point but we cant do that because soem of our teachers are closet techies and dont acctually know what they aredoing so break there laptop. but yes i know where you aere coming from

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 7
    Last Post: 26th February 2010, 10:00 AM
  2. Replies: 5
    Last Post: 14th June 2008, 12:18 AM
  3. sims administrators for beginners
    By thegrassisgreener in forum MIS Systems
    Replies: 17
    Last Post: 30th November 2007, 04:42 PM
  4. Do you allow staff to have Local Admin privileges?
    By Ravening_Wolf in forum How do you do....it?
    Replies: 39
    Last Post: 8th March 2007, 12:50 PM
  5. The Ultimate Administrators Toolbox
    By ICTNUT in forum Scripts
    Replies: 7
    Last Post: 15th August 2005, 11:38 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •