Grant access to modify membership of local administrator group

Similar Messages

• How to add first log on user to local administrator group

  Hi All,
  When first time user log in to system, i need to add that particular user to local administrator group?
  How to achieve it using vbscript?
  Thanks
  Divakar

  It is also now against federal law in the US, Canada and, I believe, the UK. 
  In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins.   This may not specifically affect your
  installation but it does show how important this is.
  There is NEVER a good reason to make a user an administrator.  It is only lack of technical know how that leads to this scenario.  Any vendor product that
  requires this is not a safe product to use in a corporate network.  Malware specifically looks for this as an attack vector.
  I spent three years arguing with Inuit to get there software to work.  Every time they said you have to run as an admin I told them it would never be.  We
  were always able to find a way.  Now QuickBooks installs as a standard user with no issues.
  It can be done.
  ¯\_(ツ)_/¯
  It is also now against federal law in the US, Canada and, I believe, the UK. 
  In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins.   This may not specifically affect your
  installation but it does show how important this is.
  There is NEVER a good reason to make a user an administrator.  It is only lack of technical know how that leads to this scenario.  Any vendor product that
  requires this is not a safe product to use in a corporate network.  Malware specifically looks for this as an attack vector.
  I spent three years arguing with Inuit to get there software to work.  Every time they said you have to run as an admin I told them it would never be.  We
  were always able to find a way.  Now QuickBooks installs as a standard user with no issues.
  It can be done.
  ¯\_(ツ)_/¯

• Wmi script to find out the time when the user was added to local administration group

  Hi Friends,
  i need a script/query based on wmi/wql that find out the time when the user was added to local administration group on this computer
  Regards
  Tanoj
  OSLM ENGINEER - SCCM 2007 & 2012

  WMI does not keep security information.
  Unless you have enabled auditing, this information is not retained in any way.
  If auditing is enabled, you can write a powershell script to look for the specific event in the eventlog. More specifically, you should look for all security events with id 4732 containing the group.
  this one command does the trick
  get-eventlog -logname security -instanceid 4732 -message *administrators*
  https://technet.microsoft.com/en-us/library/dd772663(v=ws.10).aspx
  MCP/MCSA/MCTS/MCITP

• Add Managed By AD value to Local Administrator group.

  Hi,
  I'd like to add the user account of the AD computer's Managed by attribute to the Local Administrator Group.
  Could that  be done via GPP?
  Thanks in advance.

  Hi,
  I am doubtful about it, as when I run %manager%, the system could not recognize the variable, and also I didn't find out the environment variable.
  I would like suggest you use script to do that, first retrieve all "Managers", then add them to each computers local admins group.
  For scripting, please refer to the below link:
  http://social.technet.microsoft.com/Forums/en-US/ITCG/threads
  Best Regards,
  Yan Li
  Yan Li
  TechNet Community Support

• SCCM 2012 - How to add domain id to local administrator group of all clients

  SCCM 2012 - How to add domain id to local administrator group of all clients
  Hi,
  i have a domain id sccmadmin which is a part of domain admins group too.
  Need to add this ID to the local administrators group of all clients. How do I do this? Please help!

  Hi ,
  you need to choose the second option .
  First option will remove all the domains users from the local administrator group available in all the PC'S .Then local administrator group will only have the users updated on the members list present in group policy.
  Note : Local admins accounts on the local administrators groups will not be removed.
  Second option will add the newly created group to the local administrator group in all the PC'S and it will not remove the existing members in the local administrators group.
  Step 1 : Just try to create one new group for SCCM management .
  Step 2 : Then add the SCCM account to that group.
  Step 3 : Then please create a new group policy on that just choose the second option.On that option just add the newly created group to be an member of administrator group in all the PC'S
  Why i have asked you to create a new group ?
  Because in second option , we don't have a option to add a individual user .
  Once you have created a group policy it will like below snap.
  As an additional i will tell how to find the newly created group policy is applying to computer objects or not ans also i will tell you how to force update the group policy 
  1.gpresult /r ----> To find the which group policy is applying on user and computer object .
  2.rsop.msc ----> There you can able to find the change has been applied or not .
  3.gpupdate /force -----> Forcefully updating the group policy in a client machine 
  4.In gpmc.msc there is one option called group policy results .That option will be used for centralized management to find the policies that are applied to a user and computer account.
  5.Just check the event viewer in all the PC'S for group policy related events.
  Most importantly you need to make sure all the computer accounts are placed in an ou ,where the newly created group policy is applying and also make sure that OU doesn't contain any inheritance block.
  Please feel free to reply me if you have any queries.
  Thanks & Regards S.Nithyanandham

• Grant the right to let user use administration tool

  hi, experts,
  I have logined a PC using local administrator and installed only the oracle bi administration tool.
  when I use another user(second user, not in local administrator groups) to login, I cannot run the administration tool.
  then I logined the PC using local administrator again and grant the right to second useron the file C:\OracleBI\server\Bin\AdminTool.exe
  then I use second user to login again and I can run admin tool.
  my question is
  should I also grant the rights on other files to second user?
  or only C:\OracleBI\server\Bin\AdminTool.exe ?
  thank you very much!

  You'll want to grant more privs that just the admin tools because there's also the catalog manager, job manager etc. I would recommend granting read/execute on both the OracleBI folder and the OracleBIData folders just to make sure they run the files they need to.
  Let me know what you go with.
  Best regards,
  -Joe

• Grant Access at Portlet Level

  I've read in some documentation (afair) that access can be granted at a lower level that the page level i.e. it's possible to grant access to a portlet to certain users/groups.
  I cant seem to find any docs that show me how to change the permissions/access on each portlet though (I'm assuming that this should be possible for all types of portlets including HTML Portlets). I'd be grateful if someone could point me in the right direction.
  Thanks,
  WG

  You cannot do that directly.
  A possible workaround: add the portlet(s) to a dummy page, specify the access privileges for the dummy page, and add the dummy page to your real page as a portlet.

• Can not add Domain User to Local Admin Group Win8.1

  Hello, 
  I am trying to add a domain user to the local admin account on a Win8.1 Enterprise computer. When I click the check name button it asks me to enter network credentials even though I am signed in to the computer with a domain admin account. When I try to
  type in any of my domain admin accounts it says "The Username or Password is incorrect". Even though I used that same account to login with. I can successfully ping all 3 of my DCs from the computer and have tried putting my second DC as the primary
  DNS and my third DC as the primary DC and same problem. I have checked for Active Directory errors on the DC and everything says it is running fine on the DC in server manager. I have this problem on multiple computers. Some of the computers it will work on
  but 90% of them it won't allow me to add the local user to the local admin group. 
  DCs are running Win Server 2008 R2 Enterprise. 
  Any help would be greatly appreciated. 
  Thank You

  I would suggest you to use Restricted Group(via GPO) to add domain users/group to a local admins group 
  1)Create a new group in Active Driectory
  Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
  2.
  Create a new GPO
  Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
  3.
  Edit the newly created GPO
  Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
  4.
  Add your new Active Directory group to the Restricted Group
  Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
  5.
  Add the Restricted Group to the local administrator group
  In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"
  6.
  Wait for GPO updates to apply to the workstations
  Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation,
  run "gpupdate /force" in a command window on that workstation.
  7.
  Add a user or group of users to the Active Directory Restricted Group
  When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management
  Console.

• Service accounts adding to Local admin group

  Hello Everyone,
  What are the risks with adding SharePoint service application service accounts to local admin group.
  I see in many Microsoft blogs not to use farm account to create service application and better to use dedicated service account but i didn't see any articles why we shouldn't add dedicated service accounts to local admin group
  I am facing some GPO issue and one my friend suggested to add service accounts to add local administrator group to fix this issue but i am not sure what the risks behind it. 
  Please let me know if you aware of risks.
  Thanks S

  The basic is that it increases your attack surface. If the service (and this goes for any application regardless of vendor or platform) has elevated access to the underlying system (e.g. Local Administrator, SYSTEM, root, and so forth) and that service is
  compromised, there is the possibility that the entire server would be compromised.
  Clearly, this is not a good situation.
  Having said that, there are two scenarios where a service account in SharePoint must be a Local Administrator:
  If you're running the Claims to Windows Token Service (C2WTS) as a Domain User. This account requires Local Admin.
  If you're provisioning the User Profile Sync Service, the Farm Administrator account must be a Local Administrator during the provisioning process (reason being is that it makes calls to the SAM).
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Adding users in Local Administrators Group using GP Restricted Group

  Hi Experts.
  I have approx 200 servers. There are user1, user2 and user3 which I have added in
  Local Administrators Group using GP Restricted Group in all 200 servers. This works fine. In Add Group option I added "Administrator" and Added user1, user2 and user3 in "Members of this Group". Now all 3 users are reflected as a Local
  Administrators member.
  Now there is a need that user 4 should be in Local Administrators Group using GP Restricted Group for certain servers only. Lets say 50.
  In Add Group option I added "Administrator" and Added user4 in "Members of this Group". BUT it doesn't work.
  Any idea?
  Regards Suman B. Singh

  Hi,
  How is it going? I agree with Martin. To do this, we can configure the setting in two different GPOs. For instance, in GPO1, we add user1, user2, and user3 to the local admin group; in GPO2, we add user1, user2, user3, and user4 to the local admin group;
  and then we can use Security Filtering to apply the specific GPOs to specific computers.
  Regarding security filtering, the following article can be referred to for more information.
  Security filtering using GPMC
  https://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
  Filter Using Security Groups
  https://technet.microsoft.com/en-us/library/cc752992.aspx
  Besides, in addition to Restricted Groups, we can also use Group Policy Preferences Local Users and Groups to do this, in which way we can configure two Local Group items in one GPO and utilize Item-Level Targeting to apply the specific items to specific
  computers.
  Regarding GPP Local Users and Groups, the following article can be referred to for more information.
  Configure a Local Group Item
  https://technet.microsoft.com/en-us/library/cc732525.aspx
  How to use Group Policy Preferences to Secure Local Administrator Groups
  http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
  Regarding Item-Level Targeting, the following article can be referred to for more information.
  Preference Item-Level Targeting
  https://msdn.microsoft.com/en-us/library/cc733022.aspx
  Best regards,
  Frank Shen

• Can access domain network resources while logged on as a local administrator on a workstation.

  Please help me in figuring this one out.
  I have a Server 2003 R2 domain with a bunch of workstations and some servers having the same local admin password.
  I know it is not good practice, but that's an issue of it's own.
  The issue is that when I log on as that local admin (WORKSTATION\Administrator) I can suddenly browse to ALL the hidden shares(c$, d$) of ALL the servers and workstations that have the same local admin password. If I change password or disable that account
  the symptom goes away.  I though if I do try accessing hidden shares it should still ask me for credentials, after all these are local credentials on DIFFERENT machines. I checked to make sure that the credentials are not cached and as far as I can tell
  they are not. This really freaks me out.
  This is kind of a big deal because even if I change local passwords on servers, I'm not sure we will be setting up different local Administrator password for each workstation.
  My question is: Is this the a normal/documented Windows behavior? If not why is this happening? Can someone please explain how is this possible?

  Yes, this is the default behavior for workgroup machines - this is so-called pass-through authentication of the NTLM protocol. You can lock down the usage of NTLM with policies.
  I have accidentally just tested pass-through authentication as I am working on a solution that involves a bunch of servers that are not in a domain. Without this sort of authentication you could not do authentication easily against another machine in such
  an environment.
  Admin power is limited though: Even if the user in question is admin on both machines and you try to remotely reset a password in an admin cmd session (e.g. using pspasswd) it will fail because of UAC per default - unless you tweaked UAC or related registry
  keys.
  I tried to find some official documentation: In
  this book (hope it works - link to page via Google books) on Windows security pass-through is explicitly mentioned as the method used in a workgroup environment, this
  MS support article explains NTLM passthrough authn in a domain environment.
  I have seen some articles that say that NTLM is locked down per default on newer OS - but I can confirm if works if e.g. connecting from a W2K8 R2 server to a Windows 7 machine (both workgroup machines, no domain policies applied).
  Elke

• Why doesn't Photoshop touch ask for access to local photos on my iPad so I can grant access and edit?

  Why doesn't Photoshop touch ask for access to local photos on my iPad so I can grant access and edit?

  That's odd. Does this mean that you want to have the request or that you can't see the photos even though you enabled it over the privacy/photos?
  If you enable it - it's not necessary to get the request. If you want the request the safest way to get it back is to reset the privacy settings by going to iPad settings/General/Reset/Reset Location & Privacy
  thanks,
  Ignacio

• Grant access to built-in administration portlet

  I need to create a user (or group) ADMIN that can create and manage portal users and groups using the built-in User, User Profile, Group and Group Profile Administration portlets. I do not want to grant Portal Administrator to this user.
  I have created a page that contain just the above four portlets however when I log as ADMIN I can see only three of them, the User portlet does not show. I have granted Manage on All User Profiles and All Groups Privileges to this user.
  Is it any way to grant the user access to the User portlet?
  Regards,
  Anna

  If the schema2.package_name has been successfully compiled using defining user authorization (default) and not current user authorization then yes all any other username requires to use the package and perform any DML activity defined in the package is an "execute" grant on the package.
  In the case of current user authorization then the executing user would also need DML grants on the referenced objects.
  HTH -- Mark D Powell --

• With out loosing view grant access, i can modify the existing vi

  I am using oracle 11g.
  I would like to add few more where condition in my oracle view ,Which has grant permission by different user.
  There is anyway with out loosing view grant access, i can modify the existing view.
  Existing view
  create view abc
  as
  select * from tab1
  where rownum =1 .
  Grant select on abc to read_ro;
  Modifying view
  There is anyway with out loosing view grant access, i can modify the existing view?
  add few more where condition in my oracle view ,Which has grant permission by different user
  please advise.

  create or replace view...
  SQL>  create or replace view y as select object_name from user_objects;
  View created.
  SQL> grant select on y to ads;
  Grant succeeded.
  SQL> select * from user_tab_privs where table_name='Y';
  GRANTEE                        OWNER
  TABLE_NAME                     GRANTOR
  PRIVILEGE                                GRA HIE
  ADS                            BONTRAB1
  Y                              BONTRAB1
  SELECT                                   NO  NO
  SQL> create or replace view y as select object_name,created from user_objects;
  View created.
  SQL>  select * from user_tab_privs where table_name='Y';
  GRANTEE                        OWNER
  TABLE_NAME                     GRANTOR
  PRIVILEGE                                GRA HIE
  ADS                            BONTRAB1
  Y                              BONTRAB1
  SELECT                                   NO  NO
  SQL> desc y
  Name                                      Null?    Type
  OBJECT_NAME                                        VARCHAR2(128)
  CREATED                                            DATE

• Need to provide local administrator access without domain administrator rights

  Hi All,
  I need to provide local admin access to one account in windows environment without providing domain administrator rights.
  Windows 2008 DC. Desktops : windows 7
  So that we can use this account to install agents like SCCM\SCOM in all servers & desktops.
  Need suggestions.

  Hi,
  I agree with Senne, in addition, we can also use net command to perform local group management.
  More information for you:
  Add a member to a local group
  http://technet.microsoft.com/en-us/library/cc772524.aspx
  How to Make a Domain User the Local Administrator for all PCs
  http://social.technet.microsoft.com/wiki/contents/articles/7833.how-to-make-a-domain-user-the-local-administrator-for-all-pcs.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]