none
Need a script to grant local admin rights (Builtin\Administrators) to ZA\Domain Users

    Question

  • Hello, all!

    I am in a bit of a pickle, and would like an easy script solution (startup script, deployed via GPO) to add ZA\Domain Users to the Builtin\Administrators group for all local workstations on my network.  I am not great with Powershell or VBScript, so any help would be appreciated.

    This is a short term fix.  I am looking at only pushing this script for a couple of days to get some mandatory, user-spawned updates done.

    I anxiously await your replies.  Thank you in advance for your assistance!  :)

    Chris

    Tuesday, August 07, 2012 8:21 PM

Answers

  • I tried that.  But then, that's a computer policy, not a user policy.  I had to configure GPO Loopback to get it to work.  GPO Loopback always throws me for a loop.

    Perhaps I was not patient enough, nor employed enough gpupdate /force.

    Groups are only computer level objects.  YOu cannot effect any accounts of groups with a logon scrip or a user policy.  It must be driven at teh computer level.

    The chances are that there is already a policy in place that you are now superceeding.  If you add a dummy group say "Extra Local Admins" to the restricted group then yuo can just add a n remove "domain Users" from that group and it will take effect immediately.  Remving the policy can take some time and can actually fail if thisng ae not perfect.  I recommend usign and in-bewween group to make it easier.  You can leave the group and use it to grant temporary admin provileges whenever needed.

    I do this on som eclients because we don't allow the help desk admin privileges.  Sometime we need to do a manule installation wo I just drop the HD personnel into teh local admin proxy group amd they can no do their work. When they are dom we just remove them from the group.  It takes only a second to do.


    ¯\_(ツ)_/¯

    Tuesday, August 07, 2012 9:16 PM
  • So, just a few options...

    • Depending on what you're needing to update, you may be able to do it with Group Policy if you can get an MSI of what you need to update.... avoids handing out Admin rights to users that don't need it. 
    • If you have access to something like SCCM, push the updates.
    • If you're dead set on doing it this way (or don't have an automated way to push updates), you can use Group Policy Preferences to add Domain Users to the local Admin group.  With GPP, you could also use Item Level Targeting so that once your window for having these updates is installed, Domain Users will be removed. 
    Wednesday, August 08, 2012 2:35 AM

All replies

  • Use restricted Group in GP.  It can add and tehn later remove any element of any group.  The administrtors group should always be protected via this GP.

    ¯\_(ツ)_/¯

    Tuesday, August 07, 2012 8:46 PM
  • I tried that.  But then, that's a computer policy, not a user policy.  I had to configure GPO Loopback to get it to work.  GPO Loopback always throws me for a loop.

    Perhaps I was not patient enough, nor employed enough gpupdate /force.

    Tuesday, August 07, 2012 8:50 PM
  • I tried that.  But then, that's a computer policy, not a user policy.  I had to configure GPO Loopback to get it to work.  GPO Loopback always throws me for a loop.

    Perhaps I was not patient enough, nor employed enough gpupdate /force.

    Groups are only computer level objects.  YOu cannot effect any accounts of groups with a logon scrip or a user policy.  It must be driven at teh computer level.

    The chances are that there is already a policy in place that you are now superceeding.  If you add a dummy group say "Extra Local Admins" to the restricted group then yuo can just add a n remove "domain Users" from that group and it will take effect immediately.  Remving the policy can take some time and can actually fail if thisng ae not perfect.  I recommend usign and in-bewween group to make it easier.  You can leave the group and use it to grant temporary admin provileges whenever needed.

    I do this on som eclients because we don't allow the help desk admin privileges.  Sometime we need to do a manule installation wo I just drop the HD personnel into teh local admin proxy group amd they can no do their work. When they are dom we just remove them from the group.  It takes only a second to do.


    ¯\_(ツ)_/¯

    Tuesday, August 07, 2012 9:16 PM
  • So, just a few options...

    • Depending on what you're needing to update, you may be able to do it with Group Policy if you can get an MSI of what you need to update.... avoids handing out Admin rights to users that don't need it. 
    • If you have access to something like SCCM, push the updates.
    • If you're dead set on doing it this way (or don't have an automated way to push updates), you can use Group Policy Preferences to add Domain Users to the local Admin group.  With GPP, you could also use Item Level Targeting so that once your window for having these updates is installed, Domain Users will be removed. 
    Wednesday, August 08, 2012 2:35 AM