Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Add Domain Users

- - - - -

  • Please log in to reply
10 replies to this topic

#1
arden

arden
  • Member
  • 7 posts
  • Joined 25-September 05
Hi,

My Unattended XP install works fine, and it add's me to my domain alright, but I would like to add 2 users to the process also as administrators on the local machine.

These 2 users will be the same all the time, (Domain Administrators). As the domain administrator password is already giver inorder to join the computer to the domain I shouldn't think it would be that hard to add 2 users, but I'm unsure as to where to start. Any help would be great!

Regards,
arden


How to remove advertisement from MSFN

#2
RogueSpear

RogueSpear

    OS: SimplyMEPIS

  • MSFN Sponsor
  • 1,529 posts
  • Joined 18-September 04
You don't add domain users to a computer, you add them to the domain itself. If you want to "add" a domain user to the computer, just log the user in and let the profile create itself from the Default User profile.

If you add a user to the computer, you are adding a local user.

#3
nmX.Memnoch

nmX.Memnoch

    MSFN Master

  • Patrons
  • 2,086 posts
  • Joined 15-September 04
  • OS:Windows 7 x64
  • Country: Country Flag
I have something similar to the following in a CMD file that runs as a startup script for all of my workstations.

 
:: Add Domain Users to Local Administrators Group
NET LOCALGROUP Administrators DOMAIN\user1 /ADD
NET LOCALGROUP Administrators DOMAIN\user2 /ADD

:: Add Domain Groups to Local Administrators Group
NET LOCALGROUP Administrators DOMAIN\group1 /ADD
NET LOCALGROUP Administrators DOMAIN\group2 /ADD


This will automatically add them. It'll also automatically add them back should they get accidentally removed from the group.

#4
arden

arden
  • Member
  • 7 posts
  • Joined 25-September 05
Hi, thanks for the info, I'll give it a go.



RogueSpear

I ment adding the users domain account to the local machine so they will be administrators of that machine, otherwise they can't log into the computer if there account is not set up on that computer.



arden

#5
RogueSpear

RogueSpear

    OS: SimplyMEPIS

  • MSFN Sponsor
  • 1,529 posts
  • Joined 18-September 04

RogueSpear

I ment adding the users domain account to the local machine so they will be administrators of that machine, otherwise they can't log into the computer if there account is not set up on that computer.

<{POST_SNAPBACK}>


:blushing: oops.. lol, now that I read it again it does seem a little more obvious that's what you meant. Sorry bout that.

#6
InTheWayBoy

InTheWayBoy

    Friend of MSFN

  • Member
  • PipPipPipPipPip
  • 709 posts
  • Joined 16-August 04

I ment adding the users domain account to the local machine so they will be administrators of that machine, otherwise they can't log into the computer if there account is not set up on that computer.

<{POST_SNAPBACK}>


Eh? You shouldn't have to give them local admin rights to login...

But, if you want to, you might wanna look at Restricted Groups...it's a Group Policy section that allows you to add or remove users from local security groups. You could use that to add your domain users to the local admin group of all your machines...and since it's Group Policy, it should apply to all clients, not just the ones you've installed with your Unattended.

#7
RogueSpear

RogueSpear

    OS: SimplyMEPIS

  • MSFN Sponsor
  • 1,529 posts
  • Joined 18-September 04
Restricted Groups is really a great feature. On the one hand I have the corporate bosses who think if they aren't "Administrators" that someone from IT is usurping their authority, so I use it on an OU dedicated to them to keep them as admins on ONLY their computers. If they log in anywhere else, which is infrequent, they are normal users like everyone else.

On the flip side, there are those who know the Administrative password (not my policy, I'm not the CEO) and they have a habit of making themselves admin on their own machine. Well if they do that, with about a half hour, Restricted Users boots them right down to a normal user again. That's been a life saver on a few ocassions.

#8
arden

arden
  • Member
  • 7 posts
  • Joined 25-September 05

Eh? You shouldn't have to give them local admin rights to login...


I don't have to but its the way we set up our users computers, it's all politics as you can guess with the management and IS, I'm just trying to make things a little easier for myself by making the unattended CD.

There are many reasons for not using different groups etc, and this way we find the best for our needs.

Regards,
arden

#9
nmX.Memnoch

nmX.Memnoch

    MSFN Master

  • Patrons
  • 2,086 posts
  • Joined 15-September 04
  • OS:Windows 7 x64
  • Country: Country Flag

But, if you want to, you might wanna look at Restricted Groups...it's a Group Policy section that allows you to add or remove users from local security groups. You could use that to add your domain users to the local admin group of all your machines...and since it's Group Policy, it should apply to all clients, not just the ones you've installed with your Unattended.


This is a feature that I WISH I could use. I work on an Air Force installation and they don't give unit FSA's (Functional Systems Administrators) domain admin privs...and we don't get access to edit or own OU GPO's either. We're lucky to even be able to unlock our users' accounts at this point. For this reason I sometimes forget about other settings available for use via GPO.

We do have full admin privs on the servers/workstations we're responsible for though. What I did was used gpedit.msc on one workstation to configure the settings I want...and then copy the .pol files (along with the gpt.ini) during unattended setup. Works like a charm and we automatically get added to the local admin group when the machine is joined to the domain.

#10
RogueSpear

RogueSpear

    OS: SimplyMEPIS

  • MSFN Sponsor
  • 1,529 posts
  • Joined 18-September 04
You may not have permissions to edit your own OU's, but do you have permission to create a child OU? Just a thought.. it could be a way around.

#11
nmX.Memnoch

nmX.Memnoch

    MSFN Master

  • Patrons
  • 2,086 posts
  • Joined 15-September 04
  • OS:Windows 7 x64
  • Country: Country Flag
Nope. No such permissions. They use a tool called Active Directory Resource Assistance from NetIQ to granularize the permissions. We can't even add our own user or computer accounts. We can manage/delete existing accounts...but not create them.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users