Hello!

I need a script or software that adds the current user to the local admin group of the computer. I.e script that runs the first logon, adds the first user which log on to the machine to the local admin group. After that it delete it self.

Some of our users are local admin of their own computer. On our current setup we  manually add users to local admin after installing a computer with SCCM.

If someone has a script of a software that does this it would be highly appreciated!

• Edited by Whobe1337 Wednesday, April 22, 2015 10:12 AM

All of our users are local admin of their own computer. 

Why? What's the reason for them having to be local admin?

Vi are a ASP hosting firm. And the customer wants to have local admin rights.

see if this helps...

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_26301371.html

It's not something I would use SCCM for, but...

This really has nothing to do with ConfigMgr; however, the net command will do this for you, no script needed:

net localgroup Administrators /Add <newmember>

This is a huge security risk doing that,  but  you can also create a Group in Active Directory.   Add users to that Group.  Then create a group policy which makes that group a Local admin on workstations. No script needed then!

With the command "Net Localgroup Administrators /Add <newmember>"  we need to specify the computer owner in each installation. I cannot do this because the customer have 200++ computers. Each user have their own laptop, and they want to be local admin of their own computer. 

• Edited by Whobe1337 Wednesday, April 22, 2015 10:17 AM

First, as mentioned, that's a terrible idea. You may as well give the Russian mob keys to your environment.

Reimaging systems has nothing to do with local admin permissions either so not sure how that's relevant at all.

The goal here is for me to give limited SCCM access to the IT manager of that customer. So they can distribute Windows to a computer by adding it to a collection or by booting from PXE. We want the computer to be reinstalled, and on the first logon (or somehow) the first user will be local admin on that computer. They have been local admin for years and they don`t want to change this in the near future.

I agree that this is not the best solution security wise, but the customer knows this. And they still want to be local administrators of their own computer.

• Edited by Whobe1337 Wednesday, April 22, 2015 10:20 AM

You could set up a collection based on security group and just give the admin rights to put machines into that security group in AD. no need for them to access the Configmgr console.

Jason already provided a way of adding a user to the local admin group.

• Edited by Richard.Knight Thursday, January 29, 2015 8:53 AM

The command "net localgroup Administrators /Add <newmember>" Kinda works, but then I need to manually type in the command after every reinstall I do. 

1. log on as the user that needs admin rights (or admin, dosent really matter)

2. Run cmd as the local administrator account

3. Run the command "net localgroup Administrators /Add user1"

Then I might as well log in and add the user from computer management.

Since the next computer I reinstall is another machine, and another user. I really can`t use that command. Because it does not find the current user.

The best scenario would be if a user gets a promt at the very first logon. And when they press "ok" on this prompt. The command "net localgroup Administrators /Add (Automatically finds current username)"

I have seen software that runs on the first logon before. That software popped up after the domain user logged on to the machine. The user would press start on this software. Then the software changed the computer name and added user to local admin. It deleted it self when it was done.

• Edited by Whobe1337 Wednesday, April 22, 2015 10:22 AM

They have been local admin for years and there haven`t been any problems.

If you believe this, then (sorry going to very blunt here to hopefully shock you into action) you're as nave as Sony, Target, and the many others that have been hacked recently. Just because users don't call the help desk, doesn't mean you haven't been compromised. Just because you have AV, doesn't mean you haven't been compromised. If you refer to any reputable source of security information, removing local admin privileges is always included in their top 2 or 3 items that you must do to be secure.

I agree with you, but in this case the customer want to have admin rights. So it`s their call.

This customer have always had admin rights, and I don`t think they will change their policy just like that.

• Edited by Whobe1337 Wednesday, April 22, 2015 10:24 AM

We ended up doing this manually. This customer don`t have that many users. Most of our customers don`t have local admin rights.

• Marked as answer by Whobe1337 22 hours 17 minutes ago