• Announcements

    • xper

      MSFN Sponsorship and AdBlockers!   07/10/2016

      Dear members, MSFN is made available via subscriptions, donations and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, become a site sponsor and ads will be disabled automatically and by subscribing you get other sponsor benefits.
Sign in to follow this  
Followers 0
arden

Add Domain Users

11 posts in this topic

Hi,

My Unattended XP install works fine, and it add's me to my domain alright, but I would like to add 2 users to the process also as administrators on the local machine.

These 2 users will be the same all the time, (Domain Administrators). As the domain administrator password is already giver inorder to join the computer to the domain I shouldn't think it would be that hard to add 2 users, but I'm unsure as to where to start. Any help would be great!

Regards,

arden

0

Share this post


Link to post
Share on other sites

You don't add domain users to a computer, you add them to the domain itself. If you want to "add" a domain user to the computer, just log the user in and let the profile create itself from the Default User profile.

If you add a user to the computer, you are adding a local user.

0

Share this post


Link to post
Share on other sites

I have something similar to the following in a CMD file that runs as a startup script for all of my workstations.

:: Add Domain Users to Local Administrators Group
NET LOCALGROUP Administrators DOMAIN\user1 /ADD
NET LOCALGROUP Administrators DOMAIN\user2 /ADD

:: Add Domain Groups to Local Administrators Group
NET LOCALGROUP Administrators DOMAIN\group1 /ADD
NET LOCALGROUP Administrators DOMAIN\group2 /ADD

This will automatically add them. It'll also automatically add them back should they get accidentally removed from the group.

0

Share this post


Link to post
Share on other sites

Hi, thanks for the info, I'll give it a go.

RogueSpear

I ment adding the users domain account to the local machine so they will be administrators of that machine, otherwise they can't log into the computer if there account is not set up on that computer.

arden

0

Share this post


Link to post
Share on other sites
RogueSpear

I ment adding the users domain account to the local machine so they will be administrators of that machine, otherwise they can't log into the computer if there account is not set up on that computer.

:blushing: oops.. lol, now that I read it again it does seem a little more obvious that's what you meant. Sorry bout that.

0

Share this post


Link to post
Share on other sites
I ment adding the users domain account to the local machine so they will be administrators of that machine, otherwise they can't log into the computer if there account is not set up on that computer.

Eh? You shouldn't have to give them local admin rights to login...

But, if you want to, you might wanna look at Restricted Groups...it's a Group Policy section that allows you to add or remove users from local security groups. You could use that to add your domain users to the local admin group of all your machines...and since it's Group Policy, it should apply to all clients, not just the ones you've installed with your Unattended.

0

Share this post


Link to post
Share on other sites

Restricted Groups is really a great feature. On the one hand I have the corporate bosses who think if they aren't "Administrators" that someone from IT is usurping their authority, so I use it on an OU dedicated to them to keep them as admins on ONLY their computers. If they log in anywhere else, which is infrequent, they are normal users like everyone else.

On the flip side, there are those who know the Administrative password (not my policy, I'm not the CEO) and they have a habit of making themselves admin on their own machine. Well if they do that, with about a half hour, Restricted Users boots them right down to a normal user again. That's been a life saver on a few ocassions.

0

Share this post


Link to post
Share on other sites
Eh? You shouldn't have to give them local admin rights to login...

I don't have to but its the way we set up our users computers, it's all politics as you can guess with the management and IS, I'm just trying to make things a little easier for myself by making the unattended CD.

There are many reasons for not using different groups etc, and this way we find the best for our needs.

Regards,

arden

0

Share this post


Link to post
Share on other sites
But, if you want to, you might wanna look at Restricted Groups...it's a Group Policy section that allows you to add or remove users from local security groups. You could use that to add your domain users to the local admin group of all your machines...and since it's Group Policy, it should apply to all clients, not just the ones you've installed with your Unattended.

This is a feature that I WISH I could use. I work on an Air Force installation and they don't give unit FSA's (Functional Systems Administrators) domain admin privs...and we don't get access to edit or own OU GPO's either. We're lucky to even be able to unlock our users' accounts at this point. For this reason I sometimes forget about other settings available for use via GPO.

We do have full admin privs on the servers/workstations we're responsible for though. What I did was used gpedit.msc on one workstation to configure the settings I want...and then copy the .pol files (along with the gpt.ini) during unattended setup. Works like a charm and we automatically get added to the local admin group when the machine is joined to the domain.

0

Share this post


Link to post
Share on other sites

You may not have permissions to edit your own OU's, but do you have permission to create a child OU? Just a thought.. it could be a way around.

0

Share this post


Link to post
Share on other sites

Nope. No such permissions. They use a tool called Active Directory Resource Assistance from NetIQ to granularize the permissions. We can't even add our own user or computer accounts. We can manage/delete existing accounts...but not create them.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.