control local machine admin rights via group policy
Hi ALL
I would like to setup an account for all my machines. this account should not be created as a domain account but rather a local machine account but pushed via group policy is that something i can do? Would greatly appreciate any help.
So scenario if i had a machine and it lost its trust with the domain i would need a machine admin account to get back into it. how do i setup the admin account from group policy instead of going to each machine and setting it up individually.
Regards
0 Comments
[ + ] Show comments
Answers (4)
Please log in to answer
Posted by:
anonymous_9363
7 years ago
I had to wait a whole 0.66 seconds for Google to get me that. Damned inconvenient if you ask me!
Comments:
-
I'm not against snarky answers generally. But the link you provided does not answer the question asked. Wrong answers and snark just don't look good together. - MichaelMc 7 years ago
-
what are you talking about this has nothing with my question... - rich piano 7 years ago
Posted by:
anonymous_9363
7 years ago
Wrong answers and snark just don't look good together.
Like so many here, you've missed the point.
I *could* have posted this link (0.59 seconds) but:
- I do pretty much everything like this by script, mostly because I like to log success and failure of actions, rather than leave things to chance, especially when management has a tendency to ask questions like "How many machines now have the local admin account?" I don't want to answer, "Well, I set up the GP so we'll just have to wait indefinitely until they're all done."
- one kind of hopes that the OP gets a clue and next time tries to help themselves before asking basic questions.
Comments:
-
I did consider the fact that you could script adding a local admin account quite easily using the method you linked. However, the script would have to contain the local administrator password in the batch file. In plain text. Running such a script securely is not a trivial task.
By the way, your second link also does not satisfy the original request. Those instructions add a domain group, domain account, or already existing local account to the local admin group. What is wanted here is creating a new local account and adding that to the local admin group. - MichaelMc 7 years ago-
>Those instructions add a domain group, domain account, or already existing local account to the local admin group
Yeah, because adding a domain account is so wildly different to adding a local account, isn't it? What with that and the almost impossible task of looking up the command syntax for the NET command...what was I thinking? - anonymous_9363 7 years ago
-
dude shut up your acting all high and mighty and yet you don't even have a clue on what my question is...some of us might just be starting out others might just have limited experience we are not all experts that why these forums are here to assist those who have questions. Grow up AH - rich piano 7 years ago
-
[your] you're
So here are the next steps that a professional person would've taken.
- Read between the lines of the content that was linked to.
- Grasp the inference that one could build a script to perform the job
- Build, test and deploy the script - anonymous_9363 7 years ago
Posted by:
MichaelMc
7 years ago
We used to do this using Group Policy Preferences, but this method has been deprecated by Microsoft and is disabled. See https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/ for details.
The best current solution I've been able to find is a PowerShell script posted to MSDN at https://code.msdn.microsoft.com/Solution-for-management-of-ae44e789. It appears to require software which has a licensing fee if used for more than 25 computers, which, for me, is not worth the price. YMMV.
The best current solution I've been able to find is a PowerShell script posted to MSDN at https://code.msdn.microsoft.com/Solution-for-management-of-ae44e789. It appears to require software which has a licensing fee if used for more than 25 computers, which, for me, is not worth the price. YMMV.
Posted by:
anonymous_9363
7 years ago
What is wanted here is creating a new local account and adding that to the local admin group....which would be beyond the OP's skill-set?
Running such a script securely is not a trivial task.
Not really. The details could be concealed in an ADS referenced by the script, or the script could be obfuscated by converting it to an EXE.
I did neither. I built a tool (an HTA) that can walk an AD group or an OU and run any command of my choosing against machines found therein, logging success or failure at different levels (e.g. machine not responding to PINGs, action failed, etc., etc.) Groups and/or individual machines can be excluded. It can run the command on the admin workstation or on the target machine itself. It can be set to execute at a future date and/or time and it can export its results to Excel.
It can be found using Google.
Comments:
-
"It can be found using Google."
So instead of providing a link to that result, you chose to offer links to two other google search results which don't answer the question. An interesting choice. - MichaelMc 7 years ago-
the guy is a typical arrogant AH dont bother - rich piano 7 years ago