Thomas Fischbach Posted July 28, 2016 Share Posted July 28, 2016 We have static assigned desktops and want the user to be local administrator of their desktop. - User should only be admin on their own desktop, not on any other - I don't like the idea to do this via a logonscript - user+password is visible to everyone Link to comment
1 Koenraad Willems Posted February 18, 2020 Share Posted February 18, 2020 Hi all, We use GPO for this, User Configuration > Preferences > Control Panel Settings > Local Users and Groups: It will require a logoff when the user has first logged on to the desktop, but you can't avoid this, that's just how group membership works in Windows. To make that a little more user friendly, you could have a "RunOnce" item in your image that logs the user off, maybe even displays a fullscreen browser window that goes to a webpage explaining that the user is being logged off and that they need to logon again to gain Administrative rights. Alternatively, you could remotely run PSEXEC or a Powershell script, that fetches the username that is assigned to the static desktop, then adds that to the local Administrators group. See here for more info: https://4sysops.com/archives/add-a-user-to-the-local-administrators-group-on-a-remote-computer/ You could do execute that together with assigning the user to the static desktop, providing you have automated that step. That would avoid the user not having Administrative rights on the first logon. Best, Koenraad 2 Link to comment
0 Rene Bigler Posted July 28, 2016 Share Posted July 28, 2016 why not just adding your ad user group to the local admin group. since your static desktops are assigned to a user, they only can logon to their desktop. you could also add just the corresponding ad user to the local admin group on every desktop, but think that's not necessary. Link to comment
0 Thomas Fischbach Posted July 29, 2016 Author Share Posted July 29, 2016 If I add the ad user group to the local admin group then they can access all desktops (via rdp, cifs etc.) Adding just the corresponding ad user is what I want, but I don't want to do it manually. Link to comment
0 Thomas Fischbach Posted August 8, 2016 Author Share Posted August 8, 2016 How does other people solve this? I thought about a remove powershell script to run periodically to add the assinged user to the administrators group. But when we are in production and have a lot of desktops I guess it is not the best idea to run such a script every x minutes. Link to comment
0 Bastian Forster Posted January 2, 2018 Share Posted January 2, 2018 I'm facing the same here.If I add %username% to the local admins using a login script (or let's say: replace all group members with the local administrator account, domain admin group and %username%) - then the user won't be able to act as an administrator because he has to re-login I belive. I'm thinking about a solution using the NT Authority Interactive group but that could lead to the same security issue. Any ideas? Link to comment
0 John Francis1709160537 Posted February 17, 2020 Share Posted February 17, 2020 On 7/28/2016 at 3:16 AM, Thomas Fischbach said: We have static assigned desktops and want the user to be local administrator of their desktop. - User should only be admin on their own desktop, not on any other - I don't like the idea to do this via a logonscript - user+password is visible to everyone I have created VMs using Machine Creation Services. I spun out couple of desktops and added the as static. But, I am unable to add the user to local administrator group. The way I spun out the VMs is by creating a template of the golden image, so will I be able to modify it? Link to comment
0 John Francis1709160537 Posted February 21, 2020 Share Posted February 21, 2020 (edited) On 2/18/2020 at 2:17 AM, Koenraad Willems said: Hi all, We use GPO for this, User Configuration > Preferences > Control Panel Settings > Local Users and Groups: It will require a logoff when the user has first logged on to the desktop, but you can't avoid this, that's just how group membership works in Windows. To make that a little more user friendly, you could have a "RunOnce" item in your image that logs the user off, maybe even displays a fullscreen browser window that goes to a webpage explaining that the user is being logged off and that they need to logon again to gain Administrative rights. Alternatively, you could remotely run PSEXEC or a Powershell script, that fetches the username that is assigned to the static desktop, then adds that to the local Administrators group. See here for more info: https://4sysops.com/archives/add-a-user-to-the-local-administrators-group-on-a-remote-computer/ You could do execute that together with assigning the user to the static desktop, providing you have automated that step. That would avoid the user not having Administrative rights on the first logon. Best, Koenraad I go to desktop in OU and I go to manage and add go to local users and computers \ Groups \ Administrator and I added the user, and after the reboot it just does not stay. These are persistent desktops. Edited February 21, 2020 by jfranci418 desktop correct spelling Link to comment
0 Koenraad Willems Posted February 22, 2020 Share Posted February 22, 2020 Hi, On 2/21/2020 at 8:18 PM, John Francis1709160537 said: I go to desktop in OU and I go to manage and add go to local users and computers \ Groups \ Administrator and I added the user, and after the reboot it just does not stay. These are persistent desktops. Although technically, your method should work, I would use a GPO for this, because in your method, you'd have to apply this to each desktop individually. See this page for a some info on how to create and link a GPO: https://www.dummies.com/programming/networking/network-administration-creating-group-policy-objects/ Since this is a User Configuration, you need to apply the GPO to the OU with the users in. Alternatively, you can add it on the OU with the computers (desktops), but then you have to use Loopback Processing: https://www.mustbegeek.com/how-to-enable-gpo-loopback-processing/#.XlGTQhNKiL4 Best, Koenraad Link to comment
Question
Thomas Fischbach
We have static assigned desktops and want the user to be local administrator of their desktop.
- User should only be admin on their own desktop, not on any other
- I don't like the idea to do this via a logonscript
- user+password is visible to everyone
Link to comment
8 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now