Local Control

Provide users with local admin access via this nifty script.

Bill: In our environment we set all users to have local admin access to their PC. We manually add the Domain User to the Local Administrators group of the PC they use. Is there a way via a logon script to add the locally logged on user automatically to the local admin group?

I came across the ADDUSERS.exe file, but this requires use of a local admin account and prompts you for a password. I'm looking to be able to have a user logon to their PC via our default domain and, when the logon script runs, to automatically add the users domain account into the local administrators group of the PC without any user intervention.

Daniel: I think I have a good solution, but it uses Group Policy Objects so it only works if your clients run Windows 2000 or XP. Here goes:

There's a Security Group Policy called Restricted Groups. This policy allows you to specify the membership of a group on a local machine or in the domain. The policy setting is in Computer Configuration | Windows Settings | Security Settings | Restricted Groups.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

When you test this policy, be sure to create a test GPO and link it to a test OU. You don't want to cause havoc on your desktops during testing if you accidentally overwrite a critical member in a critical local group.

Create the policy setting by right-clicking the Restricted Groups icon and selecting Add Group from the flyout menu. This opens an Add Group window.

Don't click the Browse button. This allows you to browse the domain, but you want to control the membership of a local group. Instead, just type the group name into the field exactly as it appears in the local group listing. For example, to control the membership of the local Administrators group, type "Administrators". (The policy entry is not case-sensitive.)

When you click OK, a Properties window opens. The window has two parts: "Members Of This Group" and "This Group Is A Member Of."

Click Add next to the Members Of This Group field. The Add Member window opens. Click the Browse button and browse for a group called INTERACTIVE. This is a well-known SID representing the user that has logged on at the console of the machine.

Putting the Interactive group into Administrators gives local admin privileges to whoever logs in at the console. Use a bit of caution here, because some applications finesse the local logon feature for network clients. For example, the IUSR account in IIS is given local logon, so you don't want to apply this policy to any machines running IIS or Personal Web Services. To be completely safe, don't link this GPO to any OUs that contain servers.

Because the Restricted Groups policy overwrites the current content of the specified group, you'll need to also add the Domain Admins group and the local Administrator account to this restricted group policy. Don't browse for the Administrator account; just type the word "Administrator" into the Add Member window. Otherwise, you'll add the domain Administrator account and the local Administrator account will not have admin rights.

As soon as you click OK on the list of names, the policy gets written to Sysvol. If you wait for 90 to 120 minutes, the standard background refresh at the clients will pull the policy from Sysvol and the security engine will apply the policy to the local SAM. If you want to hurry up the process for testing, run GPUPDATE at a Windows XP desktop or SECEDIT /refreshpolicy machine_policy at a Windows 2000 desktop. Use the Computer Management console to see the local accounts and groups and verify that the Administrators group has the members you specified.

A final word of caution. Some applications require local administrative access. These apps typically install a member in the local Administrators group. Before you put this Restricted Groups policy into production and overwrite all the current membership entries, you'll want to sweep the Administrators group on your desktops to find any non-standard members. Here's a brief script that obtains a list of member computers in a domain and prints out the membership of the local Administrators group:

Set RootDSE = GetObject("LDAP://RootDSE")
domainDN = RootDSE.Get("DefaultNamingContext")

Set connection = CreateObject("ADODB.Connection")
connection.Provider = "ADsDSOObject"

Set command = CreateObject("ADODB.Command")
Set command.ActiveConnection = connection
Command.Properties("Page Size") = 3000
   'big page size for lots of computers
Command.Properties("searchscope") = 2 'search entire domain
Command.CommandText = "SELECT AdsPath, cn _
   FROM 'LDAP://" & _
   domainDN &_
   "' WHERE objectcategory = 'computer'"

Set rs = command.Execute

On Error Resume Next
Do Until rs.EOF
   computerFlatName = rs.fields("cn")
   WScript.Echo _
     "Members of Adminstrators local group on " & _
   Set administrators_group = GetObject("WinNT://" & _
     computerFlatName & "/administrators,group")
   If Err.Number <> 0 Then
   WScript.Echo vbTab & "Computer not available."
     For Each member In administrators_group.members
     WScript.Echo vbTab & member.name
   End If
   Set administrators_group = Nothing
   Err.Number = 0
   WScript.Echo vbNL

You can modify the script to use an OU rather than the entire domain to reduce the network traffic.

Hope this helps.

comments powered by Disqus

Reader Comments:

Wed, Jun 10, 2009 Liron Honduras

Hello. Plans are only good intentions unless they immediately degenerate into hard work. Help me! Can not find sites on the: Payday loan. I found only this - http://p DOT ayday-on-line.biz. Camomile has good external and internal properties and is great to soothe the nerves, settling a stomach as well as anti allergic, anti inflammatory. I have used antiallergic alize batic yarn. With respect :-(, Liron from Honduras.

Sun, Jun 7, 2009 Isadora Alabama

Hi all. Your parents, they give you your life, but then they try to give you their life.
I am from Botswana and know bad English, please tell me right I wrote the following sentence: "It has anti allergic, anti toxic, anti shock, anti pyretic and immunosuppressive including anaphylaxis and allergic skin reactions has been.Feline pine is a healthy, all natural pine cat litter that destroys odors on and there is not one reliable anti histamine that works for all allergic cats."

Thanks for the help 8), Saku.

Thu, Jan 15, 2009 Anonymous Anonymous

badly need your help. You can't wait for inspiration. You have to go after it with a club.
I am from France and know bad English, tell me whether I wrote the following sentence:

Mon, Mar 22, 2004 Gilles Anonymous

I'd really like to have this script works. It doesn't. Any help ?

Thu, Feb 19, 2004 Michael Schell Seattle

Another thing to keep in mind is that unlike logon and logoff scripts, startup and shutdown scripts DO run with elevated privileges, and can often be used for administrative tasks and software installations that fail under the logged-in user's privilege level. Occasionally you need both elevated privileges and access to user information or a user profile, in which case you need one of the solutions discussed here, but in many cases scripting the task for startup or shutdown works beautifully.

Wed, Oct 29, 2003 Nobloz Anonymous

Find a quick way to reinstall the machine when users do the things they always do.
Give them the local Administrator password, and tell them how they can put them self in the Admin group.
But we don't want this !!

Thu, Oct 23, 2003 Anonymous Anonymous

For an OU you can create a Group Policy.
Or you can add your users to a Active Directory group and check it with the kix command InGroup("AD Group")

Tue, Oct 21, 2003 Gilleslafond@hotmail.com Anonymous

I need to modify the script to act on a OU only. Anyone can help ?

Fri, Oct 17, 2003 Jeffrey Anonymous

Why not just add Interactive to the local Admin Group? You could easily create a script to enumerate the PCs on the LAN, and run adduser to add Interactive.

Wed, Oct 15, 2003 Anonymous Anonymous

The whole idea of this just makes me cringe. You think you're saving yourself trouble by giving all of your users admin rights? Think again. At lease Bill's solution gives every user admin privileges only on their own machine. By placing Domain Users in all of the local Admins groups, you are giving every user complete control over every computer - remotely as well as locally!
I wonder what Roberta Bragg would have to say about this.

Wed, Oct 15, 2003 Alex Anonymous

In your logon script use: runas /u:DOMAIN\DOMAINADMIN "CMD /c net localgroup Administrators DOMAIN\%username% /add" | sanur.exe PASSWORD

The Sanur.exe file send the password to the runas. The next time the user logon, he will be a local administrator. NOTE: Runas is only found in Win2000 or newer If someone knows something similar in WinNT 4.0 please post.

Wed, Oct 15, 2003 Alex Anonymous

I was in the same problem. We must install the security patches and some user were not Local Administrators.
You can add the Domain user to the local admin but it must be configured each computer
You can use SU, but you must configure SU service in the local computer. Again, you must go to all computers.
We now use sanur.exe, let me explain to you..

Wed, Oct 15, 2003 Thomas P. Olsen Denmark

If you create the OU useng a Windows 2000 Professional, width Administrative Tools installed, you CAN browse for local users and groups.

Wed, Oct 15, 2003 Adrian Richmond, VA

I'm not so sure I'd agree with stomping on the Local Admin membership list just for this. At our site (3600 users), we have a login script that runs with Local Admin privileges using "SU". The password for the referenced account is encoded in an executable somewhere else on the domain. Not perfect, but it gives you the much prettier option of just running "cusrmgr -u %username% -m (backslash-backslash)%computername% -alg Administrators". This command adds whoever is logged on locally to the Local Admin group WITHOUT deleting all of the current members.

Wed, Oct 15, 2003 Anonymous Anonymous

another excellent suggestion.

Wed, Oct 15, 2003 Hal Anonymous

Sorry, I see I did not read the original post closely enough, and you stated you did add the domain users group to the local admins group. Do I now understand correctly that the users you wish to add do not have a domain acct? Which is why adding the domain users group is not sufficient.

Wed, Oct 15, 2003 Hal Anonymous

Why not just put the Domain Users group in the local admins group as you did with the domain admins group?

Wed, Oct 15, 2003 Dennis Ervin Anonymous

Wouldn't the following command work as well and it could be added to a script more easily...

net localgroup "administrators" "nt authority\authenticated users" /add

Wed, Oct 15, 2003 Chrissy Anonymous

We also need to add the local user to their own computer's local administrator's group. We don't like it, but it's the only way to get one of the software packages that we can't live without to run. Since everyone in the organization uses the software, we just add the Domain Users group to the local computer's Administrator's group. Much easier.

Wed, Oct 15, 2003 Anonymous Anonymous

Why would anyone set up their domain like this?! What a major security nightmare!

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.