I have been working on simplifying the deployment routine and increasing security for a customer.
They are migrating from a Ghost-deployment to SCCM 2012, and currently security has not been considered at all.
The current policy is that Domain Users is set to be in all the clients local Administrators-group, which is just stupid.
If you prefer to use a command-prompt solution you could simply run this line in the Task Sequence.
It will add the username supplied during OS Deployment to the local administrators group.
This way only the Primary User gets elevated privileges over their PC (instead of the entire organization).
cmd /c net localgroup Administrators %SMSTSUdaUsers% /add
I also previously created a small VBS script for the same functionality.
The VBS script looks like this,
' Configuration Manager Set UDA Local Admin - heineborn.com 2013-01-08 ' ' Enter UDA user during UDI wizard and this script will add that user to the local administrators group. Set oTSEnv = CreateObject("Microsoft.SMS.TSEnvironment") Set objShell = Wscript.CreateObject ("Wscript.Shell") For Each oVar In oTSEnv.GetVariables If (ovar = "SMSTSUdaUsers") Then strCmd = "net localgroup Administrators /add " & otsenv(ovar) objShell.Run (strCmd) End If Next
I have integrated this SCCM installation with MDT so I saved the script in the MDT\Scripts-folder and added a Run Command Line step to my TS.
If you need to set up User Device Affinity (prerequisite) I have written a guide how to do that aswell.
Hope this helped you.
Leave a comment and feel free to link this page on other forums.