Need a simple way to add a local computer account to the a..

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In my environment, which is still an NT 4 domain, but 90% XP clients, I need
to add the NT Authority\System account to the local administrtors group on
all of my computers. I would imagine scripting is the way to go. If so, can
anyone point me in the direction of how to write that script (I am a novice
script writer.. nothing past a basic batch file), or is there aother way that
I can get that account into the local administrators group.

Signed HELP

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello Booker,

The System account is not network routable. It has no authority outside of
the local machine account. What exactly are you looking to accomplish?


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

When using SMS, when i try to distribute XP sp2, or MS office, or anything
that requires administrative crednetials, SMS will use either the priviliges
of the logged on user, or the NT AUthority\System account. In our
environment, the NT Authority\System Account was removed from the
administrators group in our image before we pushed it out to all of the
machines. Now I want to see if it is possible to put that account back in
the admin group via a script, logon script, or some type of method other than
SNEAKER NET

The alternative is to try and figure out how to embed some admin credentials
in the executable file that I am pushing out


"Curtis Clay III [MSFT]" wrote:

>
> Hello Booker,
>
> The System account is not network routable. It has no authority outside of
> the local machine account. What exactly are you looking to accomplish?
>
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"BookerW" <BookerW@discussions.microsoft.com> wrote in message
newsA17FD5F-5C16-4CD5-81E2-B53285B9EE63@microsoft.com...
> When using SMS, when i try to distribute XP sp2, or MS office, or anything
> that requires administrative crednetials, SMS will use either the
> priviliges
> of the logged on user, or the NT AUthority\System account. In our
> environment, the NT Authority\System Account was removed from the
> administrators group in our image before we pushed it out to all of the
> machines. Now I want to see if it is possible to put that account back in
> the admin group via a script, logon script, or some type of method other
> than
> SNEAKER NET
>
> The alternative is to try and figure out how to embed some admin
> credentials
> in the executable file that I am pushing out
>
>

You can use the NET LOCALGROUP command in a batch file...

But by default (out of the box install), NT AUTHORITY\SYSTEM is *not* a
member of the administrators group.



--
Colin Nash
Microsoft MVP
Windows Shell/User

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

i am "slowly" becoming a batch file/scripting guru, so if you could provide
te exact command line to put in batch file, that would help. Would I be able
to remove the account as well with this command. While i wait on your reply,
i will look at the net localgroup /? options. Thanks


"Colin Nash [MVP]" wrote:

>
> "BookerW" <BookerW@discussions.microsoft.com> wrote in message
> newsA17FD5F-5C16-4CD5-81E2-B53285B9EE63@microsoft.com...
> > When using SMS, when i try to distribute XP sp2, or MS office, or anything
> > that requires administrative crednetials, SMS will use either the
> > priviliges
> > of the logged on user, or the NT AUthority\System account. In our
> > environment, the NT Authority\System Account was removed from the
> > administrators group in our image before we pushed it out to all of the
> > machines. Now I want to see if it is possible to put that account back in
> > the admin group via a script, logon script, or some type of method other
> > than
> > SNEAKER NET
> >
> > The alternative is to try and figure out how to embed some admin
> > credentials
> > in the executable file that I am pushing out
> >
> >
>
> You can use the NET LOCALGROUP command in a batch file...
>
> But by default (out of the box install), NT AUTHORITY\SYSTEM is *not* a
> member of the administrators group.
>
>
>
> --
> Colin Nash
> Microsoft MVP
> Windows Shell/User
>
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

And, under what security context does the batch file run. Wouldn't i need
administrator rights to add the account to the group?!

"Colin Nash [MVP]" wrote:

>
> "BookerW" <BookerW@discussions.microsoft.com> wrote in message
> newsA17FD5F-5C16-4CD5-81E2-B53285B9EE63@microsoft.com...
> > When using SMS, when i try to distribute XP sp2, or MS office, or anything
> > that requires administrative crednetials, SMS will use either the
> > priviliges
> > of the logged on user, or the NT AUthority\System account. In our
> > environment, the NT Authority\System Account was removed from the
> > administrators group in our image before we pushed it out to all of the
> > machines. Now I want to see if it is possible to put that account back in
> > the admin group via a script, logon script, or some type of method other
> > than
> > SNEAKER NET
> >
> > The alternative is to try and figure out how to embed some admin
> > credentials
> > in the executable file that I am pushing out
> >
> >
>
> You can use the NET LOCALGROUP command in a batch file...
>
> But by default (out of the box install), NT AUTHORITY\SYSTEM is *not* a
> member of the administrators group.
>
>
>
> --
> Colin Nash
> Microsoft MVP
> Windows Shell/User
>
>
>

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I just tested a simple bacth script

net localgroup administrators /add system

if it tries to run under a non administrative account, i get a
System error 5 has occurred: Access is denied


Which i expected, so i still need to find a way to pass along admin
credentials to perform some of thee tasks.......
"BookerW" wrote:

>
> And, under what security context does the batch file run. Wouldn't i need
> administrator rights to add the account to the group?!
>
> "Colin Nash [MVP]" wrote:
>
> >
> > "BookerW" <BookerW@discussions.microsoft.com> wrote in message
> > newsA17FD5F-5C16-4CD5-81E2-B53285B9EE63@microsoft.com...
> > > When using SMS, when i try to distribute XP sp2, or MS office, or anything
> > > that requires administrative crednetials, SMS will use either the
> > > priviliges
> > > of the logged on user, or the NT AUthority\System account. In our
> > > environment, the NT Authority\System Account was removed from the
> > > administrators group in our image before we pushed it out to all of the
> > > machines. Now I want to see if it is possible to put that account back in
> > > the admin group via a script, logon script, or some type of method other
> > > than
> > > SNEAKER NET
> > >
> > > The alternative is to try and figure out how to embed some admin
> > > credentials
> > > in the executable file that I am pushing out
> > >
> > >
> >
> > You can use the NET LOCALGROUP command in a batch file...
> >
> > But by default (out of the box install), NT AUTHORITY\SYSTEM is *not* a
> > member of the administrators group.
> >
> >
> >
> > --
> > Colin Nash
> > Microsoft MVP
> > Windows Shell/User
> >
> >
> >

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"BookerW" <BookerW@discussions.microsoft.com> wrote in message
news:A5153F37-2A1C-4D31-B7C8-92BAB41B9B74@microsoft.com...
>
> I just tested a simple bacth script
>
> net localgroup administrators /add system
>
> if it tries to run under a non administrative account, i get a
> System error 5 has occurred: Access is denied
>
>
> Which i expected, so i still need to find a way to pass along admin
> credentials to perform some of thee tasks.......


OK... you can remotely manage local groups from your own workstation, logged
on with your credentials (as long as the remote system is turned on, of
course.)

On your XP machine, go to Start--> Run and type COMPMGMT.MSC
Right-click on top where it says "Computer Management (Local)" ... choose
"Connect to another computer" and type the name of the remote system.
There's a local users and groups area where you can do what you need to do.

You can also use a command-line version... cusrmgr.exe available in the
Windows 2000/2003 resource kit. See
http://support.microsoft.com/?kbid=297307 for a similar but slightly
different scenario.

This is of course a bit tedious because you need to manually punch in the
computer names so there are some third-party tools that will let you
highlight all online computers in the domain and do this in one shot. A
popular tool is Hyena (and it can do a LOT more... great tool for network
admins) See http://www.systemtools.com/index.html Of course, there is a
cost but they have a free trial.


--
Colin Nash
Microsoft MVP
Windows Shell/User