Solved Unattend - Set domain user as local administrator
-
Adding local accounts and domain accounts to the unattend file is straight forward. However I am having trouble giving a domain account local administrator rights.
I can add domain username as a local user account in Administrators group, but its not quite right, the Domain needs to be set to the Domain, not the local computer name
Doing it manually to each computer is obviously not desirable<UserAccounts> <AdministratorPassword> <Value>xxxxxxxxxxxxxxxxxx</Value> <PlainText>false</PlainText> </AdministratorPassword> <LocalAccounts> <LocalAccount wcm:action="add"> <Description>LocalAdministrator</Description> <DisplayName>Administrator</DisplayName> <Group>Administrators</Group> <Name>Administrator</Name> </LocalAccount> <LocalAccount wcm:action="add"> <Password> <Value>xxxxxxxxxxxxxxxxxxxxxxxxxxx</Value> <PlainText>false</PlainText> </Password> <Description>Production local admin</Description> <DisplayName>Production</DisplayName> <Group>Administrators</Group> <Name>Production</Name> </LocalAccount> <LocalAccount wcm:action="add"> <Description>Bobs account</Description> <DisplayName>bob.smith</DisplayName> <Group>Administrators</Group> <Name>bob.smith</Name> </LocalAccount> <LocalAccount wcm:action="add"> <Password> <Value>UgBlAGQARABvAGcANwBQAGEAcwBzAHcAbwByAGQA</Value> <PlainText>false</PlainText> </Password> <Description>temp</Description> <DisplayName>temp</DisplayName> <Group>Administrators</Group> <Name>temp</Name> </LocalAccount> </LocalAccounts> <DomainAccounts> <DomainAccountList wcm:action="add"> <DomainAccount wcm:action="add"> <Group>Administrators</Group> <Name>bob.smith</Name> </DomainAccount> <DomainAccount wcm:action="add"> <Group>Administrators</Group> <Name>production</Name> </DomainAccount> <Domain>elexon</Domain> </DomainAccountList> </DomainAccounts> </UserAccounts>``` -
We do that with a GPO. Even with groups from a trusted domain.
-
@Wayne-Workman The section I provided makes a (normal) domain account a local admin. We do this to allow applications like pdq deploy and other utilities admin access to the workstation without using a domain level admin account.
-
@george1421 Does this make them a domain admin or just an admin over the local pc ?
Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
Daily Clean Installation Results:
https://fogtesting.fogproject.us/
FOG Reporting:
https://fog-external-reporting-results.fogproject.us/ -
This is precisely what we use (which appears to be in your unattend.xml file. I can say for sure this below works in Win7.
<UserAccounts> <DomainAccounts> <DomainAccountList wcm:action="add"> <DomainAccount wcm:action="add"> <Group>Administrators</Group> <Name>joe_sombody</Name> </DomainAccount> <Domain>domain.com</Domain> </DomainAccountList> </DomainAccounts> </UserAccounts>Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
-
When I want to give a user Administrative privileges to a specific computer, I do it locally on that computer. Using the gui in Win7 classic view, inside of
Control Panel -> User Accounts -> Manage User Accounts -> Advanced tab -> Advanced -> Groups -> Administrators -> Add -> Querry the user's domain name -> Click Apply and OK till you're out of all the windows.If you can find a scripting solution for that, that’d be great.
