Adding a domain user to Local Admin Groups using MDT 2012

I don't know if this will help anyone, but it did me after weeks of searching.  If you are trying to add a domain user or domain groups to the local administrators group using MDT, simply go to the cs.ini and add "SkipAdminAccounts=No". 
But the administrators accounts page will only appear if you choose to join a domain. 

Correct, if you were to go into the %DeployRoot%\Scripts\DeployWiz_Definition_ENU.xml file you would see the entry for the DeployWiz_AdminAccounts.xml page as follows:
<Pane id="AdministratorAccounts" reference="DeployWiz_AdminAccounts.xml">
<Condition><![CDATA[ UCase(Property("SkipAdminAccounts")) = "NO" and UCase(Property("DeploymentType"))<>"REPLACE" and Property("DeploymentType")<>"CUSTOM" and Property("JoinDomain") <> "" ]]></Condition>
</Pane>
Most Wizard Pages are displayed by default, and you can turn them off by using the SkipXxxXxxxxx Page variable to hide them during wizard execution. This page is different, since it was added for MDT 2012, the MDT team decided to leave it *OFF* by default,
instead you must explicitly turn off the SkipAdminAccounts variable by setting it to "NO".
Additionally, you would not need to display this page if you were running a Refresh or a Custom Task Sequence.
Finally, this page does not actually *create* accounts, instead it just adds pre-existing user accounts and adds them to the local Administrators group. This scenario is only valid when you are joining the machine to a domain, so you must Join to the Domain.
If you are interested in adding other local users to the Administrators Group, you should write a script to create the account(s) and add them to the local group. Windows 8.1 has some *gotchas* that have to do with Microsoft Accounts, but that's a different
Story :^).
Keith Garner - keithga.wordpress.com

Similar Messages

  • Can not add Domain User to Local Admin Group Win8.1

    Hello, 
    I am trying to add a domain user to the local admin account on a Win8.1 Enterprise computer. When I click the check name button it asks me to enter network credentials even though I am signed in to the computer with a domain admin account. When I try to
    type in any of my domain admin accounts it says "The Username or Password is incorrect". Even though I used that same account to login with. I can successfully ping all 3 of my DCs from the computer and have tried putting my second DC as the primary
    DNS and my third DC as the primary DC and same problem. I have checked for Active Directory errors on the DC and everything says it is running fine on the DC in server manager. I have this problem on multiple computers. Some of the computers it will work on
    but 90% of them it won't allow me to add the local user to the local admin group. 
    DCs are running Win Server 2008 R2 Enterprise. 
    Any help would be greatly appreciated. 
    Thank You

    I would suggest you to use Restricted Group(via GPO) to add domain users/group to a local admins group 
    1)Create a new group in Active Driectory
    Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
    2.
    Create a new GPO
    Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
    3.
    Edit the newly created GPO
    Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
    4.
    Add your new Active Directory group to the Restricted Group
    Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
    5.
    Add the Restricted Group to the local administrator group
    In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"
    6.
    Wait for GPO updates to apply to the workstations
    Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation,
    run "gpupdate /force" in a command window on that workstation.
    7.
    Add a user or group of users to the Active Directory Restricted Group
    When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management
    Console.

  • List users in local admin group on all workstations

    Hi, I created a script that is supposed to query workstations and list all users in the local admin group. I originally used "test-connection" for logging purposes but it caused an issues when the computer responded but dns was incorrect for
    that pc so i would get a false list of local admin members on that workstation. I changed to a wmi query instead and queried the system name using that so If the system name matched the workstation name being queried then write it is supposed to write to a
    csv. For some reason, when i use $wmi.name as the variable, it does not work. What am i missing?
        $CurrentDate = Get-Date
        $CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')
        import-module activedirectory
         $servers= get-content "C:\Scripts\AD Audits\Local Admin\workstations.txt"
         $output = "c:\temp\local admin audit $CurrentDate.csv"
         $results = @()
         $servers | ForEach-Object{
        $wmi = gwmi win32_ComputerSystem -ComputerName $_ -ErrorAction SilentlyContinue
        $connected = Test-Connection $_ -Count 1 -Quiet -ErrorAction SilentlyContinue
        $state = if($wmi.name -eq '$_') {"$_ Verified"} else {"$_ did not respond"}
        $state | Out-File -Append "c:\temp\LocalAdmin log $CurrentDate.txt"
        $group =[ADSI]"WinNT://$_/Administrators,group"
        $members = $group.Members() | ForEach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_,   $null) }
        if($wmi)
           New-Object PSObject -Property @{
               DistinguishedName = (Get-ADComputer $_).DistinguishedName
               Server = $_
               Members = $members -join ";"
        } | Export-Csv $Output -NoTypeInformation

    I agree use GP it is more reliable and easier to manage.
    For the sake of demonstration of how this can be don here is how most of us would be likely todo this or a very close variation.
    There is no issue with using Test-Connection and DNS.  AD/DNS cannot have the wrong names or your domain would crash.  Using Get-AdCOmputer instead of a file eliminates stale information.
    $csvfile="c:\temp\local admin audit $([DateTime]::Now.ToString('MM-dd-yyyy_hh-mm-ss')).csv"
    import-module activedirectory
    #adjust Filter as needed
    $adfilter='OperatingSystem -like "Windows 7*" -or OperatingSystem -like "Windows XP*"'
    Get-AdComputer -Filter $adfilter |
    ForEach-Object{
    $props=@{
    Server=$_.Name
    IsAlive=$false
    DistinguishedName=$_.DistinguishedName
    Members=$null
    if(Test-Connection $_.Name -Count 1 -Quiet){
    $props.IsAlive=$true
    $group =[ADSI]"WinNT://$($_.Name)/Administrators,group"
    $members=$group.Members() |
    ForEach-Object{
    $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
    $props.Members=$members -join ";"
    New-Object PSObject -Property $props
    } |
    Export-Csv $csvfile -NoTypeInformation
    Use GP and you won't have to be bothered with all of these techy details that usually require a Network Admin to sort out.
    ¯\_(ツ)_/¯

  • Adding users in Local Administrators Group using GP Restricted Group

    Hi Experts.
    I have approx 200 servers. There are user1, user2 and user3 which I have added in
    Local Administrators Group using GP Restricted Group in all 200 servers. This works fine. In Add Group option I added "Administrator" and Added user1, user2 and user3 in "Members of this Group". Now all 3 users are reflected as a Local
    Administrators member.
    Now there is a need that user 4 should be in Local Administrators Group using GP Restricted Group for certain servers only. Lets say 50.
    In Add Group option I added "Administrator" and Added user4 in "Members of this Group". BUT it doesn't work.
    Any idea?
    Regards Suman B. Singh

    Hi,
    How is it going? I agree with Martin. To do this, we can configure the setting in two different GPOs. For instance, in GPO1, we add user1, user2, and user3 to the local admin group; in GPO2, we add user1, user2, user3, and user4 to the local admin group;
    and then we can use Security Filtering to apply the specific GPOs to specific computers.
    Regarding security filtering, the following article can be referred to for more information.
    Security filtering using GPMC
    https://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
    Filter Using Security Groups
    https://technet.microsoft.com/en-us/library/cc752992.aspx
    Besides, in addition to Restricted Groups, we can also use Group Policy Preferences Local Users and Groups to do this, in which way we can configure two Local Group items in one GPO and utilize Item-Level Targeting to apply the specific items to specific
    computers.
    Regarding GPP Local Users and Groups, the following article can be referred to for more information.
    Configure a Local Group Item
    https://technet.microsoft.com/en-us/library/cc732525.aspx
    How to use Group Policy Preferences to Secure Local Administrator Groups
    http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
    Regarding Item-Level Targeting, the following article can be referred to for more information.
    Preference Item-Level Targeting
    https://msdn.microsoft.com/en-us/library/cc733022.aspx
    Best regards,
    Frank Shen

  • DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

    On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
    the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
    backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.
    Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
    This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
    One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
    practice.
    Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
    Please help.
    Thanks,

    This is a hands off solution to allow all users that use a machine to be able to restore their own files.
    1) Make these two cmd files and save them in c:\temp
    2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
    <addperms.cmd>
    Cmd.exe /v /c c:\temp\addreg.cmd
    <addreg.cmd>
    set users=
    echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
    echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
    FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
    echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
    REG IMPORT c:\temp\perms.reg
    Del c:\temp\perms.reg
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
    posting is provided "AS IS" with no warranties, and confers no rights.
    That's a good one! Thanks for that.
    I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
    ========================================================================
    $RC=setoption("WOW64AlternateRegView","on") 
    $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
    $uservariable = "%userdomain%\%username%"
    If KeyExist ($DPMkey)
    $Userstring=ReadValue($DPMkey, "ClientOwners")
    If $Userstring == ""
    WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
    ? "Key created"
    else
    If not instr($Userstring,$uservariable)
    $Userstring = "$Userstring,$uservariable"
    WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
    EndIf
    Endif
    EndIf
    ==========================================================================
    The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
    In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
    =========================================================
    $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
    =========================================================
    The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

  • Adding a domain user to the admin role within the local user management breaks all metro apps for all users!!

    Hi,
    I have posted this in another large thread under the "Windows 8 General" group but have not had any appropriate feedback from MS.
    After hours of testing and working with other users I have managed to isolate a simple situation that breaks all metro ui applications within Windows 8 for all users on the machine. Here are my exact steps and notes.
    Before continuing if you are running Avast then your solution may be to turn of the behaviour shield functionality as this also breaks metro apps. This is NOT the problem we are having!
    I have performed 3 cleans installs after isolating the problem and am able to reproduce the issue every time using the same steps on two different machines. 
    First thing to say is that for us it has nothing to do with simply joining the domain, domain/group policies nor does it appear to have anything to do with the software we installed, the problem here is much more simple but the result is pretty terrible.
    Here are my exact steps of what I did to reproduce our problem:
    Complete format of HDD in preperation for a clean install
    Clean install performed
    Set up the machine initially with a local account
    Test metro apps - all working fine
    Open control panel from the desktop, click on System, change the system to join the domain, click reboot
    Log into the system using my domain account
    Test metro apps - all working fine
    Here's were the problem starts. I need my domain account to have admin rights on the local machine so I can install programs without the IT men having to come over and enter their password every 5 mins.
    I go to control panel via the desktop and click on User Accounts. From with here I then click on "Manage User Accounts". This requires the IT guys to enter their details to give me access to such functionality. This is fine
    In the dialog box that opens I can only see the local user that was initially created during setup. The "Group" for this local account shows as "Administrators" - Image included below (important to note that metro apps are working at this point)
    I click add and then add my domain account - also giving it administrator access
    Sign off or reboot to ensure the new security is applied
    Sign back in to the domain account
    Test metro - ALL BROKEN
    Sign out
    Sign in as local account
    Test Metro - NOW ALL BROKEN FOR THIS USER ALSO
    So as soon as I add my domain account to the local user accounts and set it as admin it breaks all metro apps for all users. This is on a totally clean install with nothing at all installed other than the OS.
    Annoyingly if I go back and change the domain account to a standard user or if I totally remove the domain account from the local account management system the problem does not go away for either user. basically it is now permanently broken. The only fix I
    could fathom was a full re install and not giving the domain user admin access to the local  machine.
    Screen one - this is the local user accounts window AFTER joining the domain and logging in with my domain account (All metro apps working at this point)
    Screen 2: User accounts AFTER joining the domain and AFTER adding domain account to local user management (METRO BROKEN)
    I have isolated my machine from all group policies so nothing like that is affecting me. Users I have spoken to in different companies have policies that automatically add users to the local user management. This means that metro apps break as
    soon as they join the domain which leads them to wrongly think it is group policies causing the error. Once they isolate themselves from this they can reproduce following my steps.
    Thanks

    Hi Juke,
    Thank you for the response and apologies for the delay in getting back to you. My machine was running a long task so I couldn't try your suggested solution.
    I had already tried running the registry merge suggested at the top of the thread to no avail. I had not tried deleting the OLE key totally so I did that and the problem still exists. I will post all the errors I see in event viewer below. For
    your info, since posting my initial comment I have sent out my steps to 7 different people and we can all reproduce the problem. This comes to 10 different machines (3 of them mine then the other guys) in 3 different businesses / domains. We see the same errors
    in event viewer.
    Under "Windows Logs" --> "Application" : I get two separate error events the first reads "Activation of app winstore_cw5n1h2txyewy!Windows.Store failed with error: The app didn't start. See the Microsoft-Windows-TWinUI/Operational log for additional
    information." The second arrives in the log about 15 seconds after the first and reads "App winstore_cw5n1h2txyewy!Windows.Store did not launch within its allotted time."
    Under "Windows Logs" --> "System" : I get one error that reads "The server Windows.Store did not register with DCOM within the required timeout."
    Under "Applications And Services Logs" --> "Microsoft" -->  "Windows" --> "Apps" --> "Microsoft-Windows-TWinUI/Operational" : I get one error that reads "Activation of the app winstore_cw5n1h2txyewy!Windows.Store for the
    Windows.Launch contract failed with error: The app didn't start."
    If you require any further information just let me know and I will provide as much as I can.
    Thanks

  • Need to Query Local Admin Group

    I wrote (copied) some PowerShell code that will add a Domain User to the Local Admin Group using ADSI.  
    $GuestPC = "WinNT://DOMAIN/UserName,user"
    $AdminGroup = [ADSI]("WinNT://"+$env:COMPUTERNAME+"/administrators,group")
    $AdminGroup.add($GuestPC)
    I want to add an If - Else statement to check if the Domain User is already in the Administrators group.  
    I found this code:
    $members = @($AdminGroup.psbase.Invoke("Members"))
    $members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
    This code actually lists the members of the Administrators Group.  Maybe its early or I did not get enough sleep, but I cannot figure out how to just query the Administators group for $GuestPC and if it is there don't do anything, but if it is not there
    add it using the above code.  
    Something easy for someone out there I hope?
    Matt
    Matt Dillon

    Finally found the answer on Google.  Just need to add -cnotcontains "GuestPC" in side a If-Then
    Matt Dillon

  • Remotely add Domain User to local group

    I've been playing with this for some time, and I seem to be missing something.  I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
    groups.  I would like to be able to run this from a management workstation. 
    I've been working from these two posts.
    http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
    http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
    It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally.  I have not been able to figure out any format that allows me to get the information remotely.  So I figured I would use Invoke-Command
    to execute the two lines of code remotely. 
    Invoke-Command -ComputerName RemoteServer {
    $de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
    $de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
    (I am trying it first with fixed, valid values - change to variables when I get things figured out.)  That gave me the error:
    Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
    +CategoryInfo :NotSpecified: (:) [], MethodInvocationException
    +FullyQualifiedErrorID :DotNetMethodTargetInvocation
    +PSComputerName :RemoteServer
    I need help on what to try next.
    Thanks.
    . : | : . : | : . tim

    I've been playing with this for some time, and I seem to be missing something.  I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
    groups.  I would like to be able to run this from a management workstation. 
    I've been working from these two posts.
    http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
    http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
    It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally.  I have not been able to figure out any format that allows me to get the information remotely.  So I figured I would use Invoke-Command
    to execute the two lines of code remotely. 
    Invoke-Command -ComputerName RemoteServer {
    $de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
    $de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
    (I am trying it first with fixed, valid values - change to variables when I get things figured out.)  That gave me the error:
    Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
    +CategoryInfo :NotSpecified: (:) [], MethodInvocationException
    +FullyQualifiedErrorID :DotNetMethodTargetInvocation
    +PSComputerName :RemoteServer
    I need help on what to try next.
    Thanks.
    . : | : . : | : . tim
    The ADSI commands work remotely as long as you are an administrator on the domain.
    Invoke-Command only works on systems set up for WinRM remoting and if you are an Administrator on the domain.
    Normally we would use AD and GP to add users to local groups.
    Your script is also incorrect.  Thisis the correct template.
    $remotepc='somepc'
    $de=[ADSI]"WinNT://$remotepc/Administrators,Group"
    $de.Add("WinNT://Domain/User")
    You should never the user to the admin group.  It is a formula for disaster.
    ¯\_(ツ)_/¯

  • Service accounts adding to Local admin group

    Hello Everyone,
    What are the risks with adding SharePoint service application service accounts to local admin group.
    I see in many Microsoft blogs not to use farm account to create service application and better to use dedicated service account but i didn't see any articles why we shouldn't add dedicated service accounts to local admin group
    I am facing some GPO issue and one my friend suggested to add service accounts to add local administrator group to fix this issue but i am not sure what the risks behind it. 
    Please let me know if you aware of risks.
    Thanks S

    The basic is that it increases your attack surface. If the service (and this goes for any application regardless of vendor or platform) has elevated access to the underlying system (e.g. Local Administrator, SYSTEM, root, and so forth) and that service is
    compromised, there is the possibility that the entire server would be compromised.
    Clearly, this is not a good situation.
    Having said that, there are two scenarios where a service account in SharePoint must be a Local Administrator:
    If you're running the Claims to Windows Token Service (C2WTS) as a Domain User. This account requires Local Admin.
    If you're provisioning the User Profile Sync Service, the Farm Administrator account must be a Local Administrator during the provisioning process (reason being is that it makes calls to the SAM).
    Trevor Seward
    Follow or contact me at...
    &nbsp&nbsp
    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • Add Local Users to the Local Admin Group

    I am looking either via GPO or Third Party Tool.  I would like to add 6 Users to the Local Admin Groups on all the computers running Windows 7/8.  I want to Create a Group called "OUR Local Admins" and add these 6 local users (Not domain
    Users) to this Group and then nest this Group into the Local Admin Group Built-in into Windows 8
    Thank u

    > local users (Not domain Users) to this Group and then nest this Group
    > into the Local Admin Group Built-in into Windows 8
    You cannot nest local groups.
    Greetings/Grüße,
    Martin
    Mal ein
    gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me -
    coke bottle design refreshment (-:

  • Local admin vs user placed in local admin group

    what are the differences between the built-in and the user placed in the admin local group
    .  I noticed when installing Cisco's AnyConnect 3.x client as a user who has been elevated to the local admin group  that when the install is complete the settings only apply to the specific user used during the install as opposed to when the built-in
    admin (I am aware of the option for this) ...my question is  are there any window applications that require well known security identifiers (sid).
    or
    simply put what are the differences between the built-in and the user placed in the admin local group..I experienced differences and wanted to know where I can get more information

    Hi,
    Their are some subtle differences. The built-in administrator account SID is well known forprogramming logic by 3rd parties.
    For the built-in admin, UAC is disabled by default. That means that the built-in admin never requires elevation. But, as we all know, UAC can be turned off by the user so even when an admin user launches a program, he will be elevated automatically.
    The built-in admin account cant be deleted (though it can be disabled).
    Karen Hu
    TechNet Community Support

  • Add domain account in local admin in unattended

    I can use the following in unattended.xml to join user1 into domain1. Is there a way to be able to add user1 into local admin group in unattended.xml?
        <component name="Microsoft-Windows-UnattendedJoin" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <Identification>
                    <Credentials>
                        <Domain>domain1.com</Domain>
                        <Password>user1password</Password>
                        <Username>user1</Username>
                    </Credentials>
                    <JoinDomain>domain1.com</JoinDomain>
                    <MachineObjectOU>OU=Users,DC=domain1,DC=com</MachineObjectOU>
                    <UnsecureJoin>false</UnsecureJoin>
                </Identification>
        </component>

    Yes you can, check this:
    http://technet.microsoft.com/en-us/library/cc749246(v=ws.10).aspx

  • SCCM 2012 - How to add domain id to local administrator group of all clients

    SCCM 2012 - How to add domain id to local administrator group of all clients
    Hi,
    i have a domain id sccmadmin which is a part of domain admins group too.
    Need to add this ID to the local administrators group of all clients. How do I do this? Please help!

    Hi ,
    you need to choose the second option .
    First option will remove all the domains users from the local administrator group available in all the PC'S .Then local administrator group will only have the users updated on the members list present in group policy.
    Note : Local admins accounts on the local administrators groups will not be removed.
    Second option will add the newly created group to the local administrator group in all the PC'S and it will not remove the existing members in the local administrators group.
    Step 1 : Just try to create one new group for SCCM management .
    Step 2 : Then add the SCCM account to that group.
    Step 3 : Then please create a new group policy on that just choose the second option.On that option just add the newly created group to be an member of administrator group in all the PC'S
    Why i have asked you to create a new group ?
    Because in second option , we don't have a option to add a individual user .
    Once you have created a group policy it will like below snap.
    As an additional i will tell how to find the newly created group policy is applying to computer objects or not ans also i will tell you how to force update the group policy 
    1.gpresult /r ----> To find the which group policy is applying on user and computer object .
    2.rsop.msc ----> There you can able to find the change has been applied or not .
    3.gpupdate /force -----> Forcefully updating the group policy in a client machine 
    4.In gpmc.msc there is one option called group policy results .That option will be used for centralized management to find the policies that are applied to a user and computer account.
    5.Just check the event viewer in all the PC'S for group policy related events.
    Most importantly you need to make sure all the computer accounts are placed in an ou ,where the newly created group policy is applying and also make sure that OU doesn't contain any inheritance block.
    Please feel free to reply me if you have any queries.
    Thanks & Regards S.Nithyanandham

  • Network User with Local Admin Privileges?

    I have a small network (around 25 clients total) that was setup prior to my arrival. Each client has its own unique local admin (each machine was setup by the individual user) and it's become somewhat daunting to support them.
    All of the machines are connected (but not specifically bound) to an Open Directory and each is accessible via Remote Desktop, however I cannot push software updates, etc. without local admin privileges.
    I'd rather not create an account on each machine, nor do I want to completely lock down each computer (I'd like them to still have the flexibility to be admins so they can install apps, etc.)
    Is it possible to authenticate against OD and obtain local admin privileges?

    Yes.
    You can wipe all account information and then recreate a common initial admin account. This will make administration far easier as all machines will have the same admin username/password combination. Next, bind all of the systems to the domain and create domain accounts for all users on the server (likely already exist). Log in as the domain accounts and migrate permissions to domain ids. Finally, promote the user to the local admin group through System Preferences > Accounts on the workstation. You must enable the account as a mobile account in Workgroup Manager first. If you do not, the account will not cache to the workstation and you will be unable to add it to the admin group.
    Also, in a workgroup of 25, I would recommend rethinking the decision to grant local admin access to end users. This is asking for trouble as you will have no control over when updates are applied or even if they are. In theory (and probably in practice), you will have 25 completely different machines configurations. This is far harder to manage and troubleshoot than 25 systems with different admin accounts.
    If you must provide some level of autonomy, while not trivial, you might want to consider modifying /etc/authorization and granting limited admin rights to the users.
    Hope this helps - congrats on the opportunity

  • How to add first log on user to local administrator group

    Hi All,
    When first time user log in to system, i need to add that particular user to local administrator group?
    How to achieve it using vbscript?
    Thanks
    Divakar

    It is also now against federal law in the US, Canada and, I believe, the UK. 
    In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins.   This may not specifically affect your
    installation but it does show how important this is.
    There is NEVER a good reason to make a user an administrator.  It is only lack of technical know how that leads to this scenario.  Any vendor product that
    requires this is not a safe product to use in a corporate network.  Malware specifically looks for this as an attack vector.
    I spent three years arguing with Inuit to get there software to work.  Every time they said you have to run as an admin I told them it would never be.  We
    were always able to find a way.  Now QuickBooks installs as a standard user with no issues.
    It can be done.
    ¯\_(ツ)_/¯
    It is also now against federal law in the US, Canada and, I believe, the UK. 
    In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins.   This may not specifically affect your
    installation but it does show how important this is.
    There is NEVER a good reason to make a user an administrator.  It is only lack of technical know how that leads to this scenario.  Any vendor product that
    requires this is not a safe product to use in a corporate network.  Malware specifically looks for this as an attack vector.
    I spent three years arguing with Inuit to get there software to work.  Every time they said you have to run as an admin I told them it would never be.  We
    were always able to find a way.  Now QuickBooks installs as a standard user with no issues.
    It can be done.
    ¯\_(ツ)_/¯

Maybe you are looking for

  • I'm using an iPhone 5. I had FaceTime before but when I got a new line it just disappeared even from the settings. What do I do?

    I'm using an iPhone 5. I had FaceTime before but when I got a new line it just disappeared even from the settings. What do I do?

  • Maintaining process code in EWM via a program or FM

    Hi All, Is there any program or function module which can be used to update/maintain the process codes in EWM. Process codes are maintained in table - /SCDL/DB_PRCODES and can be maintained on screen via /n/SCWM/PRDI or /n/SCWM/PRDO. The requirement

  • Adobe Premiere Elements 4 Crash - Windows Vista

    After approximately 14 to 16 seconds of viewing any .mod video file recorded from my JVC Everio camcorder a Windows error message appears and Adobe Premiere Elements 4 immediately crashes. Is there a patch or fix for such a problem? I have checked th

  • Iphoto crashes before it even opens

    Everytime I try to open iphoto it crashes before it even can open. I get this error message: Dyld Error Message: Library not loaded: /System/Library/PrivateFrameworks/HTMLDisplay.framework/Versions/A/HTMLDisplay Referenced from: /Applications/iPhoto.

  • Authoriztion Objects

    Hi Friends, Here I Have Problem with authorization objects, We are developing RFC function Modules, in function  modules we need to check the some authorizations for that we created some authorization objects as DUMMY,and those are working fine for c