Local administrators

[Thomas Fischbach]

We have static assigned desktops and want the user to be local administrator of their desktop.

- User should only be admin on their own desktop, not on any other

- I don't like the idea to do this via a logonscript

- user+password is visible to everyone

[Koenraad Willems]

Hi all,

 

We use GPO for this, User Configuration > Preferences > Control Panel Settings > Local Users and Groups:

 

 

It will require a logoff when the user has first logged on to the desktop, but you can't avoid this, that's just how group membership works in Windows.

To make that a little more user friendly, you could have a "RunOnce" item in your image that logs the user off, maybe even displays a fullscreen browser window that goes to a webpage explaining that the user is being logged off and that they need to logon again to gain Administrative rights.

 

Alternatively, you could remotely run PSEXEC or a Powershell script, that fetches the username that is assigned to the static desktop, then adds that to the local Administrators group. See here for more info:

https://4sysops.com/archives/add-a-user-to-the-local-administrators-group-on-a-remote-computer/

You could do execute that together with assigning the user to the static desktop, providing you have automated that step.

That would avoid the user not having Administrative rights on the first logon.

 

Best,

 

Koenraad

[Rene Bigler]

why not just adding your ad user group to the local admin group. since your static desktops are assigned to a user, they only can logon to their desktop. you could also add just the corresponding ad user to the local admin group on every desktop, but think that's not necessary.

[Thomas Fischbach]

If I add the ad user group to the local admin group then they can access all desktops (via rdp, cifs etc.)

Adding just the corresponding ad user is what I want, but I don't want to do it manually.

[Thomas Fischbach]

How does other people solve this?

I thought about a remove powershell script to run periodically to add the assinged user to the administrators group.

But when we are in production and have a lot of desktops I guess it is not the best idea to run such a script every x minutes.

[Bastian Forster]

I'm facing the same here.If I add %username% to the local admins using a login script (or let's say: replace all group members with the local administrator account, domain admin group and %username%) - then the user won't be able to act as an administrator because he has to re-login I belive.

 

I'm thinking about a solution using the NT Authority Interactive group but that could lead to the same security issue.

 

Any ideas?

[John Francis1709160537]

On 7/28/2016 at 3:16 AM, Thomas Fischbach said:

We have static assigned desktops and want the user to be local administrator of their desktop.

- User should only be admin on their own desktop, not on any other

- I don't like the idea to do this via a logonscript

- user+password is visible to everyone

 

I have created VMs using Machine Creation Services. I spun out couple of desktops and added the as static. But, I am unable to add the user to local administrator group.  The way I spun out the VMs is by creating a template of the golden image, so will I be able to modify it?

[John Francis1709160537]

On 2/18/2020 at 2:17 AM, Koenraad Willems said:

Hi all,

 

We use GPO for this, User Configuration > Preferences > Control Panel Settings > Local Users and Groups:

 

 

It will require a logoff when the user has first logged on to the desktop, but you can't avoid this, that's just how group membership works in Windows.

To make that a little more user friendly, you could have a "RunOnce" item in your image that logs the user off, maybe even displays a fullscreen browser window that goes to a webpage explaining that the user is being logged off and that they need to logon again to gain Administrative rights.

 

Alternatively, you could remotely run PSEXEC or a Powershell script, that fetches the username that is assigned to the static desktop, then adds that to the local Administrators group. See here for more info:

https://4sysops.com/archives/add-a-user-to-the-local-administrators-group-on-a-remote-computer/

You could do execute that together with assigning the user to the static desktop, providing you have automated that step.

That would avoid the user not having Administrative rights on the first logon.

 

Best,

 

Koenraad

 

I go to desktop in OU and I go to manage and add go to local users and computers \ Groups \ Administrator and I added the user, and after the reboot it just does not stay. These are persistent desktops.

Edited February 21, 2020 by jfranci418
desktop correct spelling

[Koenraad Willems]

Hi,

 

On 2/21/2020 at 8:18 PM, John Francis1709160537 said:

 

I go to desktop in OU and I go to manage and add go to local users and computers \ Groups \ Administrator and I added the user, and after the reboot it just does not stay. These are persistent desktops.

 

Although technically, your method should work, I would use a GPO for this, because in your method, you'd have to apply this to each desktop individually.

See this page for a some info on how to create and link a GPO:

https://www.dummies.com/programming/networking/network-administration-creating-group-policy-objects/

Since this is a User Configuration, you need to apply the GPO to the OU with the users in. Alternatively, you can add it on the OU with the computers (desktops), but then you have to use Loopback Processing:

https://www.mustbegeek.com/how-to-enable-gpo-loopback-processing/#.XlGTQhNKiL4

 

Best,

 

Koenraad