Discussion:
add user to local admin group
(too old to reply)
sam
2003-12-17 16:21:23 UTC
Permalink
hi,

I use this code in my login script to add the current user to the
administrator local group, it functions if the user who try to
connect have local admin right (domain\admins, for exemple),
if the user who's connected does not have admin rights
(domain\newuser, for exemple), the script can't add the
account to the local admin group.

what can i do ? use an order like runas ?

if somebody can help me

thank you

Dim Domain
Dim UserName
Set net = WScript.CreateObject("WScript.Network")
Set WshNetwork = WScript.CreateObject("WScript.Network")
Domain = WshNetwork.UserDomain
UserName = WshNetwork.UserName
local = net.ComputerName
set group = GetObject("WinNT://"& local &"/Administrateurs")
on error resume next
group.Add "WinNT://"& Domain &"/"& UserName &""

sam
Torgeir Bakken (MVP)
2003-12-17 18:47:49 UTC
Permalink
Post by sam
hi,
I use this code in my login script to add the current user to the
administrator local group, it functions if the user who try to
connect have local admin right (domain\admins, for exemple),
if the user who's connected does not have admin rights
(domain\newuser, for exemple), the script can't add the
account to the local admin group.
If you are using AD, you could consider adding the builtin "NT
Authority\Interactive" instead (in a computer startup script), meaning
everybody logged in interactively (through the console) on the computer.

We add NT Authority\Interactive in the local Administrators group to let all
domain users automatically be local admins when they log on to a computer
interactively (thus avoiding the issue with cross network admin rights that
"Authenticated Domain users ", "Domain Users" or
"NT AUTHORITY\Authenticated Users" will give you).

A computer startup script (with a GPO) runs as part of the boot up process
(before the user logs in). It runs under the system context and has admin
rights.

From command line:
NET.EXE LOCALGROUP /ADD Administrateurs "NT Authority\Interactive"

or from a vbscript:

Set oShell = CreateObject("WScript.Shell")
oShell.Run _
"NET.EXE LOCALGROUP /ADD Administrateurs ""NT Authority\Interactive""" _
, 0, True
Post by sam
what can i do ? use an order like runas ?
Some options that also might work for you:


If it doesn't matter if the password is in clear text:

Sanur Commandline Runas Automation Utility (free)
http://www.commandline.co.uk/sanur/


if it does:

Some 3rd party RunAs solutions that "hides" (encrypt) username/password
are listed in the link below (buy solutions). Can be run from network shares,
so nothing needs to be installed on the client computers.

http://groups.google.com/groups?selm=3E272913.27CBE26D%40hydro.com


A couple of free tools that "hides" (encrypt) username/password:

CPAU on the free win32 c++ tools page of
http://www.joeware.net


And from a recent post by Peter M.:

<quote>
I am currently using AutoIt V3 (http://www.hiddensoft.com/autoit3/)
It includes a command to run a command as a special user. You can
write a simple script and then compile it with autoit as an executable.
Protect this executable with a password and you are done.

AutoIt V3 ist still beta and under development, but the actual version
is stable and the functions you need (runasadmin,regwrite...) are
already implemented and working.
</quote>



--
torgeir
Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of the 1328 page
Scripting Guide: http://www.microsoft.com/technet/scriptcenter

Loading...