Comments on: How to configure user to be local administrator for all PC’s in a domain without making him domain administrator http://itknowledgeexchange.techtarget.com/itanswers/how-to-configure-user-to-be-local-administrator-for-all-pcs-in-a-domain-without-making-him-domain-administrator/ Wed, 22 May 2013 05:05:11 +0000 hourly 1 By: jmalik http://itknowledgeexchange.techtarget.com/itanswers/how-to-configure-user-to-be-local-administrator-for-all-pcs-in-a-domain-without-making-him-domain-administrator/#comment-43688 jmalik Tue, 08 Mar 2005 13:11:15 +0000 #comment-43688 Thanks everyone esp rjournitz57 and amigus. The VBScript should do the trick. Thanks guys!

]]> By: amigus http://itknowledgeexchange.techtarget.com/itanswers/how-to-configure-user-to-be-local-administrator-for-all-pcs-in-a-domain-without-making-him-domain-administrator/#comment-43689 amigus Mon, 07 Mar 2005 14:16:02 +0000 #comment-43689 This VBS script should do what you want. It will require some customization for your site and you’ll need to run it from a domain controller or some computer trusted for delegation, as a Domain Administrator.

‘ — BEGIN –
‘ Add user to local group for all domain computers.

strDomainSuffix = “DC=example,DC=com”

strDomain = “EXAMPLE”
strUser = “Adam”
strDstGroup = “Administrators”

Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject(“ADODB.Connection”)
Set objCommand = CreateObject(“ADODB.Command”)

objConnection.Provider = “ADsDSOObject”
objConnection.Open “Active Directory Provider”

Set objCommand.ActiveConnection = objConnection

‘ Taylor this search to return the computers you want.
objCommand.CommandText = “” _
& “select Name ” _
& “from ‘LDAP://” & strDomainSuffix & “‘ ” _
& “where objectClass=’computer’ ” _
& “and operatingSystem=’Windows XP Professional’ ” _
& “”

objCommand.Properties(“SearchScope”) = ADS_SCOPE_SUBTREE
objCommand.Properties(“Cache Results”) = False
objCommand.Properties(“Timeout”) = 300

Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strComputer = objRecordSet.Fields(“Name”).Value

Set objGroup = GetObject(“WinNT://” & strComputer & “/” & strDstGroup & “,group”)
Set objUser = GetObject(“WinNT://” & strDomain & “/” & strUser & “,user”)

WScript.Echo objUser.ADsPath & ” -> ” & objGroup.ADsPath

objGroup.Add(objUser.ADsPath)

objRecordSet.MoveNext
Loop
‘ — END –

]]> By: melenie http://itknowledgeexchange.techtarget.com/itanswers/how-to-configure-user-to-be-local-administrator-for-all-pcs-in-a-domain-without-making-him-domain-administrator/#comment-43690 melenie Mon, 07 Mar 2005 08:24:33 +0000 #comment-43690 Add the user’s domain account to the local administrator account on the machine. Just a note that if you don’t have some type of imaging software to reimage machines when users “make big mistakes” on them, you may want to give them “power user” instead. XP Pro is a powerfull OS. I hope this helps.

]]> By: rjournitz574 http://itknowledgeexchange.techtarget.com/itanswers/how-to-configure-user-to-be-local-administrator-for-all-pcs-in-a-domain-without-making-him-domain-administrator/#comment-43691 rjournitz574 Sun, 06 Mar 2005 03:50:27 +0000 #comment-43691 Hello:

From your original question it sounds to me like what you want is to have a user whose account is domain based be a local administrator on all the PC?s in that same domain but not make that user a Domain Admin or delegate any Domain privileges.

If that is correct then I would suggest the following:

1. Write a VB script that:
a. Gets the domain based user record.
b. Adds this user to the Local Administrators group
on the PC.
2.Add this script to an existing Computer Startup script in your AD Group Policy. If you do not have this policy script then create one.

Once the above runs on all you PC?s you can delete that portion of the GPO.

Email me directly at rjournitz574@charter.net if you would like an example of the script mentioned above.

Randy

]]> By: texasboy http://itknowledgeexchange.techtarget.com/itanswers/how-to-configure-user-to-be-local-administrator-for-all-pcs-in-a-domain-without-making-him-domain-administrator/#comment-43692 texasboy Sat, 05 Mar 2005 18:59:36 +0000 #comment-43692 Sounds like you’re still getting an incomplete answer. You want to structure AD for administrative purposes. In this case you will need an OU container that has these 60 computers in it. Once you have done so, right-click the OU name and choose ‘Delegate control’. This should launch the Delegate Control Wizard. You can specify just the type of administrative control you want to give for this OU to an individual. You can specify administering user accounts, adding computer accounts to domain, deleting computers, etc.

]]> By: imaginetsecurity http://itknowledgeexchange.techtarget.com/itanswers/how-to-configure-user-to-be-local-administrator-for-all-pcs-in-a-domain-without-making-him-domain-administrator/#comment-43693 imaginetsecurity Fri, 04 Mar 2005 11:32:55 +0000 #comment-43693 Use Group Policy. Put those machines at issue into their own OU, create a policy for that OU that empowers your local administrator with the rights you require on those machines.

I would suggest creating a user group in the OU through AD, add this user to the group, and then use that group in the above policy. This way you can change the group membership and the policy and machines are automatically upated.

]]> By: jmalik http://itknowledgeexchange.techtarget.com/itanswers/how-to-configure-user-to-be-local-administrator-for-all-pcs-in-a-domain-without-making-him-domain-administrator/#comment-43694 jmalik Fri, 04 Mar 2005 09:26:25 +0000 #comment-43694 Thanks for ur reply slesh20.

The problem is that I will have to add the user to the local administrators group one by one for all 60 PC’s. The domain admin is automatically local admin for all PC’s in the domain. Is there any way by which I can make a user/group local administrator for all computers in a domain by default (or in one go) without making him a domain admin?

Thanks, jmalik

]]>