Make a normal user a local admin

By | January 1, 2007

I just set up something which is fairly useful, I had a hard time
finding anything much about it on the Internet, I needed to make a new
guy we have working for us a local admin on each machine in the domain
without making him a domain admin, also not forgetting we have English
and French systems, ie the group name is different on these systems.

So
I found this here.

http://web.mit.edu/ist/topics/windows/server/winmitedu/user_management.html – and my thanks to the people who wrote this, in case this link disappears I have taken the most important part and listed it here.

quote —

Create a Policy to Add a Security Group to the Local Adminstrators Group

Requirements: Container Administrator rights, i.e., rights over anorganizational unit

Create
a security group which contains the user ids of the users who will be
allowed local administrator access to the computers in the 
organizationalunit. Note: The name of the group cannot contain any
spaces. Create a .bat file containing the following simple script:

net localgroup administrators LocalAdministratorGroupName /add

Where
LocalAdministratorGroupName is the name of the group of
localadministrators previously created in the Active Directory. Add the
script to a group policy:  

1. Select the OU to which you want the policy to be applied.  

2. Right-click Properties… , click on the Group Policy tab, selectNew…  

3. Give the group policy a name (prefixed with the name of yourdepartmental OU).  

4. Click Edit.  

5. Expand Computer Configuration > Windows Settings > Scripts…  

6. Double-click Startup… , select Add.  

7.
Type the script name and location in the Script Parameters box,     
e.g., \\campus\software\dept\myDept\localAdmin.bat. For an existing
group policy you will need to edit that policy using steps 4-7 above.
Note: You can edit only policies that you have created yourself, or for
which you have been expressly granted editing permissions by the
originalpolicy creator.

end quote — 

I made a group called
workstationadmins, added my new guy to it, made a GP under Workstations
(our servers are in a separate OU) called Local Admins,added to machine
start up script the following \\xxx\NETLOGON\localadmin.bat this
contains

net localgroup administrators workstationadmins /add

net localgroup administrateurs workstationadmins /add

to
cover both EN and FR, doesn't seem to care that a group does not exist
but will keep an eye out. After a restart any PC in the OU comes up
with that group as a local admin, ie I believe any new machine that is
set up he can log straight onto as a local admin with his account, will
test 🙂

Leave a Reply