Make Primary User Local Admin via Task Sequence

UDA in User Driven Installation

I have been working on simplifying the deployment routine and increasing security for a customer.
They are migrating from a Ghost-deployment to SCCM 2012, and currently security has not been considered at all.

The current policy is that Domain Users is set to be in all the clients local Administrators-group, which is just stupid.

If you prefer to use a command-prompt solution you could simply run this line in the Task Sequence.
It will add the username supplied during OS Deployment to the local administrators group.
This way only the Primary User gets elevated privileges over their PC (instead of the entire organization).

cmd /c net localgroup Administrators %SMSTSUdaUsers% /add

I also previously created a small VBS script for the same functionality.
The VBS script looks like this,

'	Configuration Manager Set UDA Local Admin - heineborn.com 2013-01-08
'
'	Enter UDA user during UDI wizard and this script will add that user to the local administrators group.

Set oTSEnv = CreateObject("Microsoft.SMS.TSEnvironment")
Set objShell = Wscript.CreateObject ("Wscript.Shell")
For Each oVar In oTSEnv.GetVariables
	If (ovar = "SMSTSUdaUsers") Then
		strCmd = "net localgroup Administrators /add " & otsenv(ovar)
		objShell.Run (strCmd)
	End If
Next

I have integrated this SCCM installation with MDT so I saved the script in the MDT\Scripts-folder and added a Run Command Line step to my TS.

Set UDA as Local adminstrator via Task Sequence

If you need to set up User Device Affinity (prerequisite) I have written a guide how to do that aswell.

Hope this helped you.
Leave a comment and feel free to link this page on other forums.

7 Comments

  1. Can you give further details?

    Where in the task sequence do you run this script?
    Do you have any other options checked in the editor pane for running this script? Time-out? Package? Run as?

    Thanks!

    Reply
  2. Joakim

    Hi Sean,

    I'm running SCCM 2012 with integrated MDT.
    In my current Task Sequence I'm running this step right after "Install Applications" under "State Restore". Has been working flawlessly for me.

    I do not have sleep timers or anything else set next to it. The script file resides in the MDT package which has already been loaded by that point, so there is no reason to select "package" in this step.

    / Joakim

    Reply
  3. I have MDT integrated, but I am not using the MDT Boot Image. Must I?

    Since I'm not totally using the MDT integration yet and I'm on a crunch to automate the local admin group I created a package that contains the VBS and a BAT to run the VBS. The package appears to be running without errors during OSD, but when I login to the computer the Domain\User isn't listed in the Administrators group. Any ideas I could try to look at? Do I need to F8 during OSD and look at smsts.log?

    Reply
    • Joakim

      Hi Chris,

      First of all, thanks for stopping by!
      The important question is are you running a MDT Task sequence? Otherwise you need to put the files in a package and run the VBS/BAT file (which to my understanding you have). Checking the smsts.log is a good idea, you could also use F8 to troubleshoot and make sure the files are getting copied to the appropriate locations.
      / Joakim

      Reply
      • I'm going to look into it myself once I have some more "free time", but I'm curious what benefits do you have with a MDT Task Sequence?

        I integrated originally based on guides that said I'd use it later, trust them…

        Your UDI post prompted me to look into UDI and the UDI Design Wizard a little bit yesterday between testing and it does interest me.

    • Joakim

      Hi Chris,

      Nice solution, I'll add that to my original post.
      Cheers!
      / Joakim

      Reply

Submit a Comment

Your email address will not be published.

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>