I've come up with the need to create alternate local admin accounts. While I'm doing that, I also want to add a domain account into a local group (not sure of power user, local admin, etc yet) for machine admin without the account having enhanced domain rights.
I'm trying to figure out the best way to achieve this - .bat/.ps1, GPO, etc.
GPO seems to be the Answer to All Things now, so I checked that out a little. Is Restricted Groups (
here and
here) still the way to go for giving domain accounts local group memberships?
It looks like MS has removed the ability to use GPO to create local accounts, so I'll treat that part separately. I found an old .cmd script that I can base things on. I barely recognize it, so I'm up for redoing it in powershell - any alternate suggestions?
for /F "tokens=1" %%A in (c:\scripts\computers.txt) do runas /user:
[email protected] /savecred /noprofile "psexec \\%%A -h net user LocalAdmin RandomPass87 /ADD /FULLNAME:\"Local Admin User\""
for /F "tokens=1" %%A in (c:\scripts\computers.txt) do runas /user:
[email protected] /savecred /noprofile "psexec \\%%A -h net localgroup Administrators LocalAdmin /ADD"
for /F "tokens=1" %%A in (c:\scripts\computers.txt) do runas /user:
[email protected] /savecred /noprofile "psexec \\%%A -h net user administrator /active:no"
for /F "tokens=1" %%A in (c:\scripts\computers.txt) do echo %%A