I need to use a GPO or script to ...

[Billzie7718]

I have heard before that, during a domain logon, you can have the name of the user that is currently loggin on dropped into the local admin group. It then pulls them back out when they log off. It was either through GPO or VB script. Has anyone else done this?

 

[Fraggable]

hmm I haven't seen that but I sure could use it.

bump for the answer.

 

[Billzie7718]

Originally posted by: Fraggable
hmm I haven't seen that but I sure could use it.

bump for the answer.

I found this but I'm having trouble getting the desired results in my test environment. Maybe you will have better luck.

http://mcpmag.com/columns/article.asp?EditorialsID=614

 

[Billzie7718]

Bump.

There must be someone doing this out there. Is everyone just adding "Domain Users" and calling it done? Does no one have a problem with EVERY domain user having FULL access to every other machine on the domain?

 

[KB]

A login script that runs as the current user won't be able to add the current user to the Admin group because they won't have Admin rights to do the adding. So I know of no script to do it.

I have used the directions from the link you provided to add custom groups to the local administrators group. Although I prefer to let only IT be local administrators: what is the problem of having every domain user having full rights to every other machine on the domain, if you let them login and get full rights anyway?
Just make sure your servers don't have the GPO applied to add users to the local administrators.

 

[Billzie7718]

First, I was actually referring to a Computer Configuration GPO, not User Configuration. This way, as long as the computer is a member of the domain, whoever logs on has Local Admin rights. Though I agree that users shouldn't have local admin rights, unfortunately we use a third party application (one that cannot be run as a service) that requires admin rights to run.

Second, our domain consists of location based OU's. Because of this, adding Domain Users to the local admin group means that the new intern in shipping would be able to connect to the computer of the president of HR and browse files that may potentially contain salaries or other confidential information. By applying this theoretical GPO, it would instead drop that users account name into local admin, meaning they would have full rights but ONLY to that machine, and ONLY while they are logged onto it.

 

[RebateMonger]

Have you tried finding the Registry and Folder permissions required to make that troublesome application run without making everybody "Local Administrator"?

 

[Billzie7718]

Originally posted by: RebateMonger
Have you tried finding the Registry and Folder permissions required to make that troublesome application run without making everybody "Local Administrator"?

We ARE currently testing but I'm afraid that the expectations are already set. If/When this is implemented, there will be a large influx of issues (presumably because they can no longer install their Yahoo Messenger or Google Toolbar) but this will cause surveys to drop and therefore bonuses to decrease. Having local admin is not a problem, granted I would prefer it be different, but our unattended install is pretty streamline and doesnt require much effort to wipe it out and start over if things get too bad. Simply looking for a solution that solves the problem without hitting me in the bonus.

 

[RebateMonger]

One option to prevent EVERYONE from being a Local Administrator on EVERY PC:

a) Create Computer OUs for the various computer groups. Put "sensitive" computers in a special group, where you'll manage the Local Administrator privilege manually.
b) Create Security Groups containing those users who will be automatically granted Local Administrator rights on the various PCs
b) Create a "Computer Logon Script" that will be run each time the PC logs onto the Domain (this is NOT the User Logon Script)
c) Content of Computer Logon Script:
Net LocalGroup Administrators "domain_name"\"security_group" /add
(where "domain_name" is the name of your domain and "security_group" is the name of a User Group being given Local Administrator rights.

Test the logon script from the Command Prompt on some PCs to make sure it does what you want.

d) Create Group Policies and link them to the desired Computer OUs.
e) In the new Group Policies, set the \Computer Configuration\Windows Settings\Scripts (Startup/Shutdown) to automatically run the appropriate logon script that you've created
---------------------------------------------------------

The above will:
Make certain User Groups Local Administrators on all PCs in the selected Computer OU.
Will not "restrict" additional Local Administrators from being added if necessary.
Will NOT allow the User Groups to be Local Administrators on "sensitive" computers.
(You can add your own Local Administrators manually on the "sensitive" computers.)

I'd first do this on a small scale and verify it does what you want. And, obviously, test the final result to make sure that those "sensitive" PCs really are excluded.