Make Primary User Local Admin via Task Sequence – Jocha

UDA in User Driven Installation

I have been working on simplifying the deployment routine and increasing security for a customer.
They are migrating from a Ghost-deployment to SCCM 2012, and currently security has not been considered at all.

The current policy is that Domain Users is set to be in all the clients local Administrators-group, which is just stupid.

If you prefer to use a command-prompt solution you could simply run this line in the Task Sequence.
It will add the username supplied during OS Deployment to the local administrators group.
This way only the Primary User gets elevated privileges over their PC (instead of the entire organization).

cmd /c net localgroup Administrators %SMSTSUdaUsers% /add

I also previously created a small VBS script for the same functionality.
The VBS script looks like this,

'	Configuration Manager Set UDA Local Admin - 2013-01-08
'	Enter UDA user during UDI wizard and this script will add that user to the local administrators group.

Set oTSEnv = CreateObject("Microsoft.SMS.TSEnvironment")
Set objShell = Wscript.CreateObject ("Wscript.Shell")
For Each oVar In oTSEnv.GetVariables
	If (ovar = "SMSTSUdaUsers") Then
		strCmd = "net localgroup Administrators /add " & otsenv(ovar)
		objShell.Run (strCmd)
	End If

I have integrated this SCCM installation with MDT so I saved the script in the MDT\Scripts-folder and added a Run Command Line step to my TS.

Set UDA as Local adminstrator via Task Sequence

If you need to set up User Device Affinity (prerequisite) I have written a guide how to do that aswell.

Hope this helped you.
Leave a comment and feel free to link this page on other forums.