Unattend - Set domain user as local administrator



  • Adding local accounts and domain accounts to the unattend file is straight forward. However I am having trouble giving a domain account local administrator rights.
    I can add domain username as a local user account in Administrators group, but its not quite right, the Domain needs to be set to the Domain, not the local computer name
    Doing it manually to each computer is obviously not desirable

    <UserAccounts>
                    <AdministratorPassword>
                        <Value>xxxxxxxxxxxxxxxxxx</Value>
                        <PlainText>false</PlainText>
                    </AdministratorPassword>
                    <LocalAccounts>
                        <LocalAccount wcm:action="add">
                            <Description>LocalAdministrator</Description>
                            <DisplayName>Administrator</DisplayName>
                            <Group>Administrators</Group>
                            <Name>Administrator</Name>
                        </LocalAccount>
                        <LocalAccount wcm:action="add">
                            <Password>
                                <Value>xxxxxxxxxxxxxxxxxxxxxxxxxxx</Value>
                                <PlainText>false</PlainText>
                            </Password>
                            <Description>Production local admin</Description>
                            <DisplayName>Production</DisplayName>
                            <Group>Administrators</Group>
                            <Name>Production</Name>
                        </LocalAccount>
                        <LocalAccount wcm:action="add">
                            <Description>Bobs account</Description>
                            <DisplayName>bob.smith</DisplayName>
                            <Group>Administrators</Group>
                            <Name>bob.smith</Name>
                        </LocalAccount>
                        <LocalAccount wcm:action="add">
                            <Password>
                                <Value>UgBlAGQARABvAGcANwBQAGEAcwBzAHcAbwByAGQA</Value>
                                <PlainText>false</PlainText>
                            </Password>
                            <Description>temp</Description>
                            <DisplayName>temp</DisplayName>
                            <Group>Administrators</Group>
                            <Name>temp</Name>
                        </LocalAccount>
                    </LocalAccounts>
                    <DomainAccounts>
                        <DomainAccountList wcm:action="add">
                            <DomainAccount wcm:action="add">
                                <Group>Administrators</Group>
                                <Name>bob.smith</Name>
                            </DomainAccount>
                            <DomainAccount wcm:action="add">
                                <Group>Administrators</Group>
                                <Name>production</Name>
                            </DomainAccount>
                            <Domain>elexon</Domain>
                        </DomainAccountList>
                    </DomainAccounts>
                </UserAccounts>```


  • We do that with a GPO. Even with groups from a trusted domain.


  • Moderator

    @Wayne-Workman The section I provided makes a (normal) domain account a local admin. We do this to allow applications like pdq deploy and other utilities admin access to the workstation without using a domain level admin account.


  • Moderator

    @george1421 Does this make them a domain admin or just an admin over the local pc ?


  • Moderator

    This is precisely what we use (which appears to be in your unattend.xml file. I can say for sure this below works in Win7.

    <UserAccounts>
      <DomainAccounts>
        <DomainAccountList wcm:action="add">
          <DomainAccount wcm:action="add">
            <Group>Administrators</Group>
            <Name>joe_sombody</Name>
          </DomainAccount>
          <Domain>domain.com</Domain>
        </DomainAccountList>
      </DomainAccounts>
    </UserAccounts>
    

  • Moderator

    @Rusty

    When I want to give a user Administrative privileges to a specific computer, I do it locally on that computer. Using the gui in Win7 classic view, inside of Control Panel -> User Accounts -> Manage User Accounts -> Advanced tab -> Advanced -> Groups -> Administrators -> Add -> Querry the user's domain name -> Click Apply and OK till you're out of all the windows.

    If you can find a scripting solution for that, that’d be great.


Log in to reply
 

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.