/build/static/layout/Breadcrumb_cap_w.png
06/21/2017 1014 views
Hi ALL 

I would like to setup an account for all my machines. this account should not be created as a domain account but rather a local machine account but pushed via group policy is that something i can do? Would greatly appreciate any help.

So scenario if i had a machine and it lost its trust with the domain i would need a machine admin account to get back into it. how do i setup the admin account from group policy instead of going to each machine and setting it up individually.  

Regards
0 Comments   [ + ] Show comments

Comments


All Answers

1

I had to wait a whole 0.66 seconds for Google to get me that. Damned inconvenient if you ask me!
Answered 06/22/2017 by: VBScab
Red Belt

  • I'm not against snarky answers generally. But the link you provided does not answer the question asked. Wrong answers and snark just don't look good together.
  • what are you talking about this has nothing with my question...
1
Wrong answers and snark just don't look good together.
Like so many here, you've missed the point.

I *could* have posted this link (0.59 seconds) but:
- I do pretty much everything like this by script, mostly because I like to log success and failure of actions, rather than leave things to chance, especially when management has a tendency to ask questions like "How many machines now have the local admin account?" I don't want to answer, "Well, I set up the GP so we'll just have to wait indefinitely until they're all done."
- one kind of hopes that the OP gets a clue and next time tries to help themselves before asking basic questions.
Answered 06/22/2017 by: VBScab
Red Belt

  • I did consider the fact that you could script adding a local admin account quite easily using the method you linked. However, the script would have to contain the local administrator password in the batch file. In plain text. Running such a script securely is not a trivial task.
    By the way, your second link also does not satisfy the original request. Those instructions add a domain group, domain account, or already existing local account to the local admin group. What is wanted here is creating a new local account and adding that to the local admin group.
    • >Those instructions add a domain group, domain account, or already existing local account to the local admin group
      Yeah, because adding a domain account is so wildly different to adding a local account, isn't it? What with that and the almost impossible task of looking up the command syntax for the NET command...what was I thinking?
  • dude shut up your acting all high and mighty and yet you don't even have a clue on what my question is...some of us might just be starting out others might just have limited experience we are not all experts that why these forums are here to assist those who have questions. Grow up AH
    • [your] you're

      So here are the next steps that a professional person would've taken.

      - Read between the lines of the content that was linked to.
      - Grasp the inference that one could build a script to perform the job
      - Build, test and deploy the script
1
We used to do this using Group Policy Preferences, but this method has been deprecated by Microsoft and is disabled. See https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/ for details.

The best current solution I've been able to find is a PowerShell script posted to MSDN at https://code.msdn.microsoft.com/Solution-for-management-of-ae44e789. It appears to require software which has a licensing fee if used for more than 25 computers, which, for me, is not worth the price. YMMV.
Answered 06/22/2017 by: MichaelMc
Orange Senior Belt

1
What is wanted here is creating a new local account and adding that to the local admin group.
...which would be beyond the OP's skill-set?

Running such a script securely is not a trivial task.
Not really. The details could be concealed in an ADS referenced by the script, or the script could be obfuscated by converting it to an EXE.

I did neither. I built a tool (an HTA) that can walk an AD group or an OU and run any command of my choosing against machines found therein, logging success or failure at different levels (e.g. machine not responding to PINGs, action failed, etc., etc.)  Groups and/or individual machines can be excluded. It can run the command on the admin workstation or on the target machine itself. It can be set to execute at a future date and/or time and it can export its results to Excel.

It can be found using Google.
Answered 06/22/2017 by: VBScab
Red Belt

  • "It can be found using Google."
    So instead of providing a link to that result, you chose to offer links to two other google search results which don't answer the question. An interesting choice.
    • the guy is a typical arrogant AH dont bother