Unattend - Set domain user as local administrator
-
Adding local accounts and domain accounts to the unattend file is straight forward. However I am having trouble giving a domain account local administrator rights.
I can add domain username as a local user account in Administrators group, but its not quite right, the Domain needs to be set to the Domain, not the local computer name
Doing it manually to each computer is obviously not desirable<UserAccounts> <AdministratorPassword> <Value>xxxxxxxxxxxxxxxxxx</Value> <PlainText>false</PlainText> </AdministratorPassword> <LocalAccounts> <LocalAccount wcm:action="add"> <Description>LocalAdministrator</Description> <DisplayName>Administrator</DisplayName> <Group>Administrators</Group> <Name>Administrator</Name> </LocalAccount> <LocalAccount wcm:action="add"> <Password> <Value>xxxxxxxxxxxxxxxxxxxxxxxxxxx</Value> <PlainText>false</PlainText> </Password> <Description>Production local admin</Description> <DisplayName>Production</DisplayName> <Group>Administrators</Group> <Name>Production</Name> </LocalAccount> <LocalAccount wcm:action="add"> <Description>Bobs account</Description> <DisplayName>bob.smith</DisplayName> <Group>Administrators</Group> <Name>bob.smith</Name> </LocalAccount> <LocalAccount wcm:action="add"> <Password> <Value>UgBlAGQARABvAGcANwBQAGEAcwBzAHcAbwByAGQA</Value> <PlainText>false</PlainText> </Password> <Description>temp</Description> <DisplayName>temp</DisplayName> <Group>Administrators</Group> <Name>temp</Name> </LocalAccount> </LocalAccounts> <DomainAccounts> <DomainAccountList wcm:action="add"> <DomainAccount wcm:action="add"> <Group>Administrators</Group> <Name>bob.smith</Name> </DomainAccount> <DomainAccount wcm:action="add"> <Group>Administrators</Group> <Name>production</Name> </DomainAccount> <Domain>elexon</Domain> </DomainAccountList> </DomainAccounts> </UserAccounts>```
-
When I want to give a user Administrative privileges to a specific computer, I do it locally on that computer. Using the gui in Win7 classic view, inside of
Control Panel -> User Accounts -> Manage User Accounts -> Advanced tab -> Advanced -> Groups -> Administrators -> Add -> Querry the user's domain name -> Click Apply and OK till you're out of all the windows.
If you can find a scripting solution for that, that’d be great.
-
This is precisely what we use (which appears to be in your unattend.xml file. I can say for sure this below works in Win7.
<UserAccounts> <DomainAccounts> <DomainAccountList wcm:action="add"> <DomainAccount wcm:action="add"> <Group>Administrators</Group> <Name>joe_sombody</Name> </DomainAccount> <Domain>domain.com</Domain> </DomainAccountList> </DomainAccounts> </UserAccounts>
-
@george1421 Does this make them a domain admin or just an admin over the local pc ?
-
@Wayne-Workman The section I provided makes a (normal) domain account a local admin. We do this to allow applications like pdq deploy and other utilities admin access to the workstation without using a domain level admin account.
-
We do that with a GPO. Even with groups from a trusted domain.