I have been working on simplifying the deployment routine and increasing security for a customer.
They are migrating from a Ghost-deployment to SCCM 2012, and currently security has not been considered at all.
The current policy is that Domain Users is set to be in all the clients local Administrators-group, which is just stupid.
If you prefer to use a command-prompt solution you could simply run this line in the Task Sequence.
It will add the username supplied during OS Deployment to the local administrators group.
This way only the Primary User gets elevated privileges over their PC (instead of the entire organization).
cmd /c net localgroup Administrators %SMSTSUdaUsers% /add
I also previously created a small VBS script for the same functionality.
The VBS script looks like this,
' Configuration Manager Set UDA Local Admin - heineborn.com 2013-01-08
'
' Enter UDA user during UDI wizard and this script will add that user to the local administrators group.
Set oTSEnv = CreateObject("Microsoft.SMS.TSEnvironment")
Set objShell = Wscript.CreateObject ("Wscript.Shell")
For Each oVar In oTSEnv.GetVariables
If (ovar = "SMSTSUdaUsers") Then
strCmd = "net localgroup Administrators /add " & otsenv(ovar)
objShell.Run (strCmd)
End If
Next
I have integrated this SCCM installation with MDT so I saved the script in the MDT\Scripts-folder and added a Run Command Line step to my TS.
If you need to set up User Device Affinity (prerequisite) I have written a guide how to do that aswell.
Hope this helped you.
Leave a comment and feel free to link this page on other forums.
Can you give further details?
Where in the task sequence do you run this script?
Do you have any other options checked in the editor pane for running this script? Time-out? Package? Run as?
Thanks!
Hi Sean,
I'm running SCCM 2012 with integrated MDT.
In my current Task Sequence I'm running this step right after "Install Applications" under "State Restore". Has been working flawlessly for me.
I do not have sleep timers or anything else set next to it. The script file resides in the MDT package which has already been loaded by that point, so there is no reason to select "package" in this step.
/ Joakim
I have MDT integrated, but I am not using the MDT Boot Image. Must I?
Since I'm not totally using the MDT integration yet and I'm on a crunch to automate the local admin group I created a package that contains the VBS and a BAT to run the VBS. The package appears to be running without errors during OSD, but when I login to the computer the Domain\User isn't listed in the Administrators group. Any ideas I could try to look at? Do I need to F8 during OSD and look at smsts.log?
Hi Chris,
First of all, thanks for stopping by!
The important question is are you running a MDT Task sequence? Otherwise you need to put the files in a package and run the VBS/BAT file (which to my understanding you have). Checking the smsts.log is a good idea, you could also use F8 to troubleshoot and make sure the files are getting copied to the appropriate locations.
/ Joakim
I'm going to look into it myself once I have some more "free time", but I'm curious what benefits do you have with a MDT Task Sequence?
I integrated originally based on guides that said I'd use it later, trust them…
Your UDI post prompted me to look into UDI and the UDI Design Wizard a little bit yesterday between testing and it does interest me.
I got it working once I remembered KISS methodology. I ended up just throwing a Run Command in with:
cmd /c net localgroup Administrators %SMSTSUdaUsers% /add
Good enough for me. A more step-by-step for others looking to do this is posted here:
http://www.reddit.com/r/SCCM/comments/1ewov1/making_uda_primary_user_part_of_local/
Hi Chris,
Nice solution, I'll add that to my original post.
Cheers!
/ Joakim
Tried using that cmd command to add users to the administrators group in OSD, After the machine has finished imaging the users are still not in that group. Any ideas?
Hi Greg,
Are you using "User Device Affinity", and are you supplying the input as "Domain\User"?
Best regards,
Joakim