Need to create local machine account via batch
the_technocrat
IC-MotY1Indy Icrontian
Hey all,
I have a security group in Active Directory called Tech Group. These are the people at each of the campuses that help me out with technical issues.
I'm trying to find a way to add the Tech Group via startup script to every machine's local user accounts in the domain. The idea here is that no matter who is in the Tech Group in Active Directory, they will be able to log on to any machine on the domain and have local machine administrator rights. Right now, they don't have the permissions to get the job done, and this makes the administrator (me) have to run around (remote desktop) a lot just to log in as myself. For the simple issues they're solving, this is a waste of time, and I'd like to fix it.
I like the idea of adding a group, because I want to be able to add/delete people in the group as needed. I'm not a fan of adding individual people to each machine as local admins, and then having to manage turnover...
I've been looking for a way to do this via batch, so I could just add the batch file to my domain's startup script GPO, and the Tech Group woul be added as a local administrators group. I really don't think it's feasible to go around to 400 machines and manually add the Tech Group to each machine with admin rights.
I don't want to make the Tech Group part of the Domain Administrators, I want to limit their admin access to the workstations. I don't need them hopping on a server and doing something crazy...
Anyone done this? I'm sure someone has done the same thing with an 'IS Supprt Dept' or 'Helpdesk' group...
I have a security group in Active Directory called Tech Group. These are the people at each of the campuses that help me out with technical issues.
I'm trying to find a way to add the Tech Group via startup script to every machine's local user accounts in the domain. The idea here is that no matter who is in the Tech Group in Active Directory, they will be able to log on to any machine on the domain and have local machine administrator rights. Right now, they don't have the permissions to get the job done, and this makes the administrator (me) have to run around (remote desktop) a lot just to log in as myself. For the simple issues they're solving, this is a waste of time, and I'd like to fix it.
I like the idea of adding a group, because I want to be able to add/delete people in the group as needed. I'm not a fan of adding individual people to each machine as local admins, and then having to manage turnover...
I've been looking for a way to do this via batch, so I could just add the batch file to my domain's startup script GPO, and the Tech Group woul be added as a local administrators group. I really don't think it's feasible to go around to 400 machines and manually add the Tech Group to each machine with admin rights.
I don't want to make the Tech Group part of the Domain Administrators, I want to limit their admin access to the workstations. I don't need them hopping on a server and doing something crazy...
Anyone done this? I'm sure someone has done the same thing with an 'IS Supprt Dept' or 'Helpdesk' group...
0
Comments
add-tech.bat:
where 'DOMAIN' = your domain and 'TechGroup' is the name of the group in AD.
http://www.ss64.com/nt/net_useradmin.html
net localgroup administrators QCH2002 /add
right, that's how to add a user to the local admin group. Let's say you have 10 users that need to be local machine admins, and the 10 are going to turn over every 6 months or so....
if the group is techpeeps
and the domain is SHORTMEDIA:
@ECHO OFF
net localgroup Administrators SHORTMEDIA\techpeeps /add
..and then all you need to do is just manage the group in Active Directory. Workin' Ok for me, thx man