We dont have any installation of Active Directory and Workgroup etc. We have deployed a helpdesk software solution which uses agent based scanning (agents deployed on clients) for inventory collection and remote control of the client from the central helpdesk. Since the environment does not have an Active Directory installation, any updates to the agents is not possible without physical visit to the client. Also any installation of fonts etc is not currently possible without a physical visit. further, the helpdesk software has a feature for remote control of the client using the agent installed on the clients, but all these features require installation of an active directory or administrative privileges on the client PCs. All the users in our environment are mainly using the account with Administrative privileges to login locally and use the PCs (either built in administrator account or a separate administrator privilege account). They are also allowed to change the password of their Administrator accounts being used by them. In view of this fact it is felt that this main administrator account cannot be reliably used for accessing the PCs remotely from the Helpdesk software or to deploy the fonts, patches etc as elaborated above. Hence it is proposed to create another hidden administrator account with a common name and password across all the PCs, which will then be used to access the PCs remotely by the helpdesk software remote control etc. To avoid confusion among the users the account used for our purpose shall be kept hidden. Deploying Active Directory would basically require to instil some IT discipline among the users and management capabilities which may not be feasible in the current scenario immediately. Till then we have to plan and fulfil the below mentioned objectives without an Active Directory. 1. Implementing the Remote Control and Agent Solution of the Helpdesk Software. The agent also does the job of inventory collection of networked PCs. The inventory collection with the present agent does not require Administrator password or AD. 2. Implementing the Fonts and general Software Deployment solution. 3. Implementing the Windows Update/ Patch Management solution through WSUS or otherwise. 4. Is there any free third party tool which can help achieve the objectives. 5. Is it possible to get a batch file or script which would automate the task of hiding one account with administrative privileges on a large numbver of computers so that it does not appear on the logon screen. However it should be possible to remotely login to the computer using the same login account and push patches and updates. 6. It is worth noting that out of a large number of computers, some have Windows XP, some have Vista, while others have Windows 7 loaded on them. So the batch file or script proposed should be able to work on all the three operating systems. If separate batch files/ script are required for different operating systems then all the scripts / batch files may be advised. In this regard and above requirements, kindly advise on the feasibility and suitability of the following: 1. Is it recommended to create hidden user Account with Administrative privileges on each of the 1500 PCs. The user account name and password shall be same/common to all the 1500 PCs. However the user account should not be visible on the logon screen of Windows. 2. Use the common Administrative privileges account to push patches and use Windows Update/ WSUS etc or to push any other software update, fonts, agent update etc. 3. Is there any free third party tool which can help achieve the objectives. 4. Is it possible to get a batch file or script which would automate the task of hiding one account with administrative privileges on a large numbver of computers so that it does not appear on the logon screen. However it should be possible to remotely login to the computer using the same login account and push patches and updates. 5. Is there any other alernative method or solution available to achieve the above objectives. 6. It is worth noting that out of a large number of computers, some have Windows XP, some have Vista, while others have Windows 7 loaded on them. So the batch file or script proposed should be able to work on all the three operating systems. If separate batch files/ script are required for different operating systems then all the scripts / batch files may be advised. 7. Is the solution listed on http://social.technet.microsoft.com/Forums/en-US/w7itproui/thread/16378967-8a39-4aef-85e4-d859a71648d3 of any relevance. I would request for suggestions on implementing the above, till the AD environment is put in place.

We dont have any installation of Active Directory and Workgroup etc. We have deployed a helpdesk software solution which uses agent based scanning (agents deployed on clients) for inventory collection and remote control of the client from the central helpdesk. Since the environment does not have an Active Directory installation, any updates to the agents is not possible without physical visit to the [...] I don't think that arraging some "home grown" solution will be a good idea; what you need is setup your AD infrastucture and then configure the needed GPOs and add the various bits and pieces (WSUS and so on...) doing what you are asking for on a 2000 computers network w/o using AD is, in my humble opinion, a real suicide and while it may be achieved (at least partially) the whole solution will just serve to waste time and will then need to be dismantled/revised when you'll move to AD so, instead of wasting this time for a homegrown setup, invest it into the AD migration process

Hi, I agree with ObiWan, that you NEED AD badly, and any work-arounds are going to be very labour-intensive. WRT some of your questions: 1. It is not recommended to use the same Admin account for each pc, if you are relying soley on this for security. Moreover, if the password were compromised, it would involve changing the account password manually on 1500 pcs! Also, although you can hide the admin logon, you cannont prevent users from logging on as Administrator. All they have to do is press Ctrl-Alt-Del-Del at the Welcome Screen, and they can type Administrator in the user name field. 2. You can implement WSUS w/o AD, but this would required a common Adminstrator password, so see point 1. For more info on implementing WSUS w/o AD, see here: http://pubs.logicalexpressions.com/Pub0009/LPMArticle.asp?ID=594 3. WSUS is free. See here: http://technet.microsoft.com/en-za/windowsserver/bb332157.aspx 4. You can. See this thread: http://social.technet.microsoft.com/Forums/en/w7itproui/thread/16378967-8a39-4aef-85e4-d859a71648d3 5. Active Directory 6. Don't know 7. See 4.

Hello, go away from this crappy setup and plan and install a domain, that will be the last time that you MAYBE have to go to the user locations. Even the domain join can be managed remote with different options. First 1 - 6, without a domain you have to do it manual on each machine, if you use scripts or not they must be copied to the machines to be run there. Second 1 - 6, a local administrator already exist and ONLY the admins should know that password. Easy changed in a domain. You cannot create a hiiden user as all users are visible in the computer mansgement console. 2. WSUS requires configuration on the workstations, as this is NOT a push from the server, the client connects to the WSUS server. 3. You have to search yourself, i don't know about any of this. 4. NOT without a central managed and accessible network as a domain provides. You can use the already existing administrator to logon remote, if requried change manual all passwords or copy a script to the machine(requires of course permissions) and run the script local with admin permissions. 5. PLAN AND CREATE A DOMAIN EXACTLY FOR THIS REQUIREMENTS IT IS MADE. 6. starting with Windows Vista UAC comes into play(important if working with scripts) and also some script commands that work on earlier OS may not be supported anymore. You have to test and maybe recreate the scripts for the different OS versions. 7. This will hide an account from the logon window and if you like to use it you have to make it visible logged on as an admin again, so i can see NO advantage. Also this will not prevent the account from b e hidden in the user manager as far as i understand this article. Work with Remote Desktop connection or similar and logon as local admin until the domain is prepared. You will not find a NOT complicated solution with 2000 machines. Sorry to state this but the people deciding to work without a domain if you're machines started to come over 50 computers, are not doing a good job in suggesting and maintaining the network to the companies CEO.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Thanks, BigTeddy, just to add my 2 cents, having such a number of machines, once the AD will be set up I won't just recommend using WSUS, but also implementing the Windows Deployment Services [1] [2] and, by the way some centrally managed Antivirus solution like, for example, Microsoft ForeFront Endpoint Protection [3] [1] http://en.wikipedia.org/wiki/Windows_Deployment_Services [2] http://www.microsoft.com/download/en/details.aspx?id=17556 [3] http://www.microsoft.com/forefront/endpoint-protection/en/us/default.aspx

7. This will hide an account from the logon window and if you like to use it you have to make it visible logged on as an admin again, so i can see NO advantage. Also this will not prevent the account from b e hidden in the user manager as far as i understand this article. Hi Meinolf, just a small thing, little known - If the Administrator (or any other account) is hidden from the Welcome Screen, you can still log on using that account by pressing Ctrl-Alt-Del-Del. This will bring up the traditional logon screen, and the user can type Administrator (or whatever) in the User Name field, and log on if he/she knows the password. So what I'm saying is it doesn't have to be visible in the Welcome Screen for it to be used. And you are quite right, this will not hide the user from User Manager, or from Control Panel/User Accounts. It is for this reason that I think having a global Local Admin password is very bad practice.

It is for this reason that I think having a global Local Admin password is very bad practice. Also since any user may walk to another machine and log onto it using the admin credentials... not a good thing privacy and security, amongst others, will get a bad hit from such a setup; again, as I wrote, better abandoning the idea and planning a global AD migration

A combination of Active Directory and Microsoft's System Center Configuration Manger sounds like a perfect fit for this scenario. MS SCCM: http://www.microsoft.com/systemcenter/en/us/configuration-manager/cm-overview.aspx Visit: anITKB.com, an IT Knowledge Base.

Sounds like most (if not all) the people which replied suggested to move to AD (all in all that's NEEDED to install all the other bits and pieces), so, again, as I wrote in my original message, I think that you should start by planning and implementing your AD infrastucture and then you may move on from there (and btw you'll find help here in case of problems)