This week I got a question from Matthew:
“I’m in a situation where we have high turn-over on our first level of support. I’d like the help desk person to have local admin rights on most PC’s, but not all, and not specifically the way we have them grouped in Active Directory…Is there a way you can incorporate this into your program [Network Administrator]?”
Great question. Lets first see how to do this from the command line, or in a bat file.
First, I setup a new group in active directory called “TempLocalAdmins”
When I want a user to be a local admin, I simply make them a member of this group. If I want to take away local admin rights…I just pull them out of the group.
From the command line it is easy to add that group as a local admin using this command:
net localgroup administrators /add domain\account
So in my case it would be:
net localgroup administrators /add INTELLIADMIN\TempLocalAdmins
You would run this from the computer where you want to have that group as a local administrator.
Now, if you want to push this to computers over your network, you can use Network Administrator to do it.
Here is how it can be done:
Create a bat with the “net localgroup” command in a file named “CreateLocalAdmin.bat” and put it in c:\temp
Here is what my file looks like:
Then, use the remote execute plugin in Network Administrator to push it out.
Here are the settings you would want to use:
Then just select the computers where you want that group to be a local admin, and run the remote execute plugin.
You can get the latest version of Network Administrator from here:
One more thing…Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them. Click Here to get your free tools