How to upgrade a windows server domain user to a local higher permission Group

Domain users are added to the Local USERs Group by default after logon, but the user permissions in the users Group are too small, such as sharing and local printer installation, therefore, a feasible solution in the network management Domain is to promote the usrs group Users to the Power Users or Domain Admin group. Security risks increase, but the general problems are not great.
1. Add the domain user to the local power user group Script: Option ExplicitDim oWshNetworkSet oWshNetwork = WScript. createObject ("WScript. network ") Dim sLogonComputerName 'to obtain the name of the currently logged-on computer sLogonComputerName = oWshNetwork. computerName 'wscript. echo sLogonComputerNameDim oLocalGroup www.2cto.com 'to obtain the Local Power Users Group object Set oLocalGroup = GetObject ("WinNT: //" + sLogonComputerName + "/Power Users, Group") 'wscript. echo oLocalGroup. name' note that the HENU-SOFTLAB in the next sentence must be the same as the NETBIOS Name of the domain, otherwise an error occurs If oLocalGroup. isMember ("WinNT: // HENU-SOFTLAB/Domain Users") ThenWScript. quitElseoLocalGroup. add "WinNT: // HENU-SOFTLAB/Domain Users" End If
2. Add the domain user to the local administrator Group of the client using the net command: (After logging on with the local administrator) the entire command: runas/user: administrator "net localgroup administrators domain.com \ mmuser/add" command Description: This command adds the account in the MM domain to the local administrator group. Here, "administrator" is your administrator account on the local machine, and "domain.com" is your domain name. "mmuser" is the user who needs to escalate permissions. After running the command, the system prompts you to enter the password of the administrator on the local machine, then the command is successfully completed. You can use runas/user: administrator "net localgroup administrators domain.com \ mmuser/del" to delete the local administrator permission of MM.
3. Upgrade the user in the power users Group to the admin script I wrote earlier in the administrators group. vbs is used to remotely promote the users in the power users Group to the administrators group. Modify the following and add a batch processing program to implement the functions of the landlord. The following content is for reference: if wscript. arguments. count <> 3 then wscript. echo "Usage: cscript" & wscript. scriptname & "computername groupname username" & vbCrLf wscript. quit end if Set unNamedArguments = WScript. arguments. unNamed Set objGroupAdm = GetObject ("WinNT: //" & unNamedArguments. item (0) & "/Administrators, group") www.2cto.com Set objGroupPower = GetObject ("WinNT: //" & unNamedArguments. item (0) & "/" & unNamedArguments. item (1) & ", group") For Each objUser in objGroupPower. members If objUser. name = unNamedArguments. item (2) Then objGroupPower. remove (objUser. ADsPath) objGroupAdm. add (objUser. ADsPath) WScript. echo ("The user" & unNamedArguments. item (0) & ":" & objUser. name & "is changed to Administrators Group") End if Next 'end
4. In the Group Policy, first upgrade the User's USERS permission to the Power User permission. In the Group Policy, first upgrade the User's USERS permission to the Power User permission * Open "default domain poliy "(domain control) ---> Computer Configuration-> windows Settings-> Security Settings-> restricted Group * Right click-> Add group --> "Power Users"-> double-click the group-> this group -> Add-domain Name \ domain users * if it is a windows2000 System -- running -- enter Secedit/refresh policy_machine/enforce to implement the Group Policy. * if it is a windows2003 system, enter gpupdate/ force OK, you only need to restart your client to upgrade the USERS permission to the Power Users permission.
5. Add the Domain user or Domain group to the local group in an AD Domain environment. Many users Delete the Domain Admins group from the local Administrators Group, this causes a lot of trouble for the domain administrator to perform management. You want to use a script to automatically add the Domain Admins group to the local Administrators Group when the computer is started. The script www.2cto.com can be slightly modified to add any domain users or groups to the local group. The script is as follows: 'Add the domain administrator group to the local administrator Group of the computer 'is mainly used to solve the problem that the domain administrator group is manually deleted from the local administrator group. 'The script needs to be run on a computer that has been added to the domain environment. 'The script can be modified to add any user or group to any group' ── ─ Set WshNetwork = WScript. createObject ("WScript. network ") 'obtain the name of the current computer strComputer = WshNetwork. computername' obtain the NetBIOS Name of the current domain strDomain = WshNetwork. userDomain 'set the local administrators Group and Domain Admins Group of the current computer 'if you want to add other users to another local group, you can change the group name or user name Set objGroup = GetObject ("WinNT: // "& strComputer &"/Administrators ") Set objUser = GetObject (" WinNT: // "& strDomain &"/Domain Admins ") 'determines members of the Local administrators Group, if Domain Admins is already a member, exit and execute For Each objListUser in objGroup. membersIf objListUser. name = "Domain Admins" Then Wscript. quit www.2cto.com End IfNext; otherwise, the Domain Admins will be added to the local administrator group objGroup. add (objUser. ADsPath) after the fifth test, if you run the command on a machine that does not have a domain added, the system prompts that the domain cannot be found. There are two ways to run the command on the machine that has entered the domain: one is that the user with the permission to enter the domain will prompt that the user does not have the local administrator permission, the other is to use the local administrator permission and prompt that the user does not have the domain administrator permission and cannot query the domain information, so we can only use the second method: x.com. corp uses net localgroup administrators x \ grp-it-sys/add as runas/user under the local administrator: administrator "net localgroup administrators x \ grp-it-sys/add" this article is from guest Network