adding users using ad logon script?

Discussion in 'Active Directory' started by Esa, Sep 17, 2005.

  1. Esa

    Esa Guest

    Hi!

    I would like to create a script that adds on certain domain user account
    into every single desktop pc´s local admin group. I would also like to copy
    one certain profile in every single computet into default user profile.

    That account I am going to copy into default user account was accidently
    deleted in AD, but the profile is still saved in host computer(we are using
    local profiles). If I have a look at the state of computer accounts in My
    computer->Advenced->profiles tab I see only account unknown sign.

    So would this be possible make such script? Using ad´s startup script and
    user loopback policy?

    Would that script work if a normal domain user would log in? Would
    credentials be high enough for adding something into local admin group ?

    Thanks,

    Esa
     
    Esa, Sep 17, 2005
    #1
    1. Advertisements

  2. Esa

    Al Mulnick Guest

    Can't think why it would not be possible.
    As for credentials, that would depend on your configuration and the user
    account rights assigned.

    As for the deletion and re-adding, have you considered CAREFULLY using the
    restricted groups feature?

    Al
     
    Al Mulnick, Sep 17, 2005
    #2
    1. Advertisements

  3. Esa

    Esa Guest

    Hi!

    I just thought make a logon script that would add users to admin group.
    Enable user loopback policy mode in computer configuration. Our computers are
    in OUs containing only computers so I would link the policy to those OUs.

    I was just wondering using such policy will it make difference who logs in
    and what is his group membership? Will it make any difference while using
    loopback policy?

    Yes, I was also thinking about resticted groups, but I was wondering how to
    add users to local admin group for all desktop computers. Could it be
    possible using GPMC from workstation? And what would happen then when we are
    not using those groups any more? We should add account into local admin group
    somehow after that..?

    Esa
     
    Esa, Sep 17, 2005
    #3
  4. Esa

    Al Mulnick Guest

    Technically, it makes a difference what context the script runs under. A
    logon script runs under the context of the user that logged on (in most
    cases) so if that user is not a local administrator, then the script should
    fail to add a user to the local administrators group. If it didn't that
    would be a security problem of a much larger magnitude for a lot of people.
    Elevation of privilege and all that.

    At some point in the transaction, you must present credentials sufficient to
    add a user to the local administrators group else it will fail.

    Take a look at the documentation on restricted groups. I think you'll find
    that's what you want to do. IIRC, there's an option to append vs. replace
    members of the group in question. As the group/user requirements change you
    can make adjustments via the restricted groups policy.

    Al
     
    Al Mulnick, Sep 19, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.