RE: [ActiveDir]

[Rick Kingslan]

OK - I'll toss in my two cents - do it via a startup script in a group policy applied at whatever level is going to hit your workstations.  In the startup script (cmd, bat, vbs - whatever your comfortable with) you'll want something along the lines of:   @echo off ::Add2Admin.cmd set log=c:\audit.log time /t > %log% rem Change domain to your domain name but leave everything else. set grp="<YourDomain>\Domain Admins" set grp2="<YourDomain>\Workstation Admins" echo Adding  %grp%  to local Administrators group >>%log% net localgroup Administrators %grp% /add >>%log% echo *************************************** >>%log% echo Adding  %grp2%  to local Administrators group >>%log% net localgroup Administrators %grp2% /add >>%log% echo *************************************** >>%log% set log= set grp= set grp2= :EOF What this accomplishes for us is a group that is maintained in AD (Workstation Admins) is added to the local Administrators groups of the workstation, along with the domain admins group.  The Workstation Admins group is our technical services group, responsible for managing and maintaining the PC's.  And, because it runs as a startup command, it runs at LocalSystem context - therefore no issues in performing the commands.   Under no circumstances do I trust anyone with Domain Admin privileges that 1) do not absolutely require it, and 2) have not passed my stringent requirements for the responsibility.  It's way to easy for someone to make mistakes that I ultimately will be responsible for, and it's also too easy to make sure that those that need to do a particular job have the permissions to do so.  Two examples to cite - the script above and the AD Delegation White Paper.   Rick Kingslan  MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Clingaman Sent: Thursday, December 04, 2003 9:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] You could add him to the local administrators group using the computer management tool. The addusers.exe can add users to local groups using the cmd or batch file. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Jerry Johnson Sent: Thursday, December 04, 2003 8:46 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Hi I have a user that needs to be able to install software on 2k and xp clients by visiting each desktop. All of our clients are setup with the same local admin password and do not want him to know that password. Is this possible? He is currently just a domain user. Thank you Jerry   Scicom Data Services Minnetonka,Mn