A bit more challenging - Batch script to add domain user to local administrator group Windows 7

StackOverflow https://stackoverflow.com/questions/19780418

  •  03-07-2022
  •  | 
  •  

Question

I would like to write a script that will add a domain user to the local administrator group. I already tried 

NET LOCALGROUP Administrators "domain\domainuser" /ADD

but I get the Access Denied error.

The problem is that if I want to run it as domain user, it does not have local admin rights, and if as local admin, it does not have access to the domain names. (I don't want to use domain admin)

If I manually right click the computer icon, than manage, I type in the computer name/local admin user/pass, than in Local Users and Groups -> Groups folder I want to add user to Administrators, I am prompted to log in again. If I log in than with a domain user, it works.

My question is, if it is possible to do the same (or something similar) with batch script?

Était-ce utile?

La solution 2

I have solved it with another way, using 2 batch files So I give you my code:

This one creates a folder in c: , than it creates a text file, it copies the name of the current user in it, than the other batch file in the same folder, and finaly runs it as local admin. If you write the password correctly(password will not appear as " * " when you write it):

mkdir c:\tempfiles$
break>c:\tempfiles$\temp.txt
echo %username% >> "c:\tempfiles$\temp.txt"
copy "%~dp0\admin.bat" "c:\tempfiles$"
runas /noprofile /env /user:%computername%\<LOCAL ADMIN USER> "C:\tempfiles$\admin.bat"
pause
rmdir /s /q "c:\tempfiles$"

The admin.bat, takes the user name writen in the text file (if this wasn't, it would take the %username% as the local admin username to add it, because we run it as the local admin) The copy for the batch file is only necessary so you can run it from anywhere. For example if you would have it on a server's mapped drive it would not work.

set /p u=<c:\tempfiles$\temp.txt
net localgroup Administrators /add <DOMAIN NAME>\%u%

I have tried it on multiple computer, on most of it, it runs. On some of the computers it does not, probably because of the local policy of my company. I did not figgured that out yet.

For any questions or suggestions, feel confident to write your opinion.

Autres conseils

Maybe, from vbs

GetObject("WinNT://" + WScript.CreateObject("WScript.Network").ComputerName + "/Administrators").Add "WinNT://DomainName/UserName"

The purpose of this batch file is to get the domain group members and add them to a local group. You must right click this file and select Run as Administrator. 

@echo off 
setlocal EnableDelayedExpansion
set /p v1=[Enter Domain Group Name]
set /p v2=[Enter domain name: xxx.com ]
set /p v3=[Enter Localgroup "Name"]

For /F "skip=8 tokens=1 delims= " %%G IN ('net group %v1% /domain' ) ^
DO if %%G neq The net localgroup %v3% %v2%\%%G  /add 
timeout /t 1

For /F "skip=8 tokens=2 delims= " %%G IN ('net group %v1% /domain' ) ^
DO if %%G neq command net localgroup %v3% %v2%\%%G  /add
timeout /t 1

For /F "skip=8 tokens=3 delims= " %%G IN ('net group %v1% /domain' ) ^
DO if %%G neq completed net localgroup %v3% %v2%\%%G /add
timeout /t 1
Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top