Make Primary User Local Admin via Task Sequence

UDA in User Driven Installation

I have been working on simplifying the deployment routine and increasing security for a customer.
They are migrating from a Ghost-deployment to SCCM 2012, and currently security has not been considered at all.

The current policy is that Domain Users is set to be in all the clients local Administrators-group, which is just stupid.

If you prefer to use a command-prompt solution you could simply run this line in the Task Sequence.
It will add the username supplied during OS Deployment to the local administrators group.
This way only the Primary User gets elevated privileges over their PC (instead of the entire organization).

cmd /c net localgroup Administrators %SMSTSUdaUsers% /add

I also previously created a small VBS script for the same functionality.
The VBS script looks like this,

'	Configuration Manager Set UDA Local Admin - 2013-01-08
'	Enter UDA user during UDI wizard and this script will add that user to the local administrators group.

Set oTSEnv = CreateObject("Microsoft.SMS.TSEnvironment")
Set objShell = Wscript.CreateObject ("Wscript.Shell")
For Each oVar In oTSEnv.GetVariables
	If (ovar = "SMSTSUdaUsers") Then
		strCmd = "net localgroup Administrators /add " & otsenv(ovar)
		objShell.Run (strCmd)
	End If

I have integrated this SCCM installation with MDT so I saved the script in the MDT\Scripts-folder and added a Run Command Line step to my TS.

Set UDA as Local adminstrator via Task Sequence

If you need to set up User Device Affinity (prerequisite) I have written a guide how to do that aswell.

Hope this helped you.
Leave a comment and feel free to link this page on other forums.

Share this!

Related posts

  1. Office 365 Change Calendar Permissions in Office 365
  2. PowerShell PowerShell: List newly created users
  3. redircmp Change default OU for computers in AD
  4. SCCM 2012 Upgrading to SCCM 2012 R2


  • Sean

    Can you give further details?

    Where in the task sequence do you run this script?
    Do you have any other options checked in the editor pane for running this script? Time-out? Package? Run as?


    March 14, 2013 — 22:51
  • Joakim

    Hi Sean,

    I'm running SCCM 2012 with integrated MDT.
    In my current Task Sequence I'm running this step right after "Install Applications" under "State Restore". Has been working flawlessly for me.

    I do not have sleep timers or anything else set next to it. The script file resides in the MDT package which has already been loaded by that point, so there is no reason to select "package" in this step.

    / Joakim

    March 20, 2013 — 10:07
  • Chris Thomas

    I have MDT integrated, but I am not using the MDT Boot Image. Must I?

    Since I'm not totally using the MDT integration yet and I'm on a crunch to automate the local admin group I created a package that contains the VBS and a BAT to run the VBS. The package appears to be running without errors during OSD, but when I login to the computer the Domain\User isn't listed in the Administrators group. Any ideas I could try to look at? Do I need to F8 during OSD and look at smsts.log?

    May 23, 2013 — 15:27
    • Joakim

      Hi Chris,

      First of all, thanks for stopping by!
      The important question is are you running a MDT Task sequence? Otherwise you need to put the files in a package and run the VBS/BAT file (which to my understanding you have). Checking the smsts.log is a good idea, you could also use F8 to troubleshoot and make sure the files are getting copied to the appropriate locations.
      / Joakim

      May 24, 2013 — 10:53
      • Chris Thomas

        I'm going to look into it myself once I have some more "free time", but I'm curious what benefits do you have with a MDT Task Sequence?

        I integrated originally based on guides that said I'd use it later, trust them…

        Your UDI post prompted me to look into UDI and the UDI Design Wizard a little bit yesterday between testing and it does interest me.

        May 24, 2013 — 12:53
  • Chris Thomas

    I got it working once I remembered KISS methodology. I ended up just throwing a Run Command in with:

    cmd /c net localgroup Administrators %SMSTSUdaUsers% /add

    Good enough for me. A more step-by-step for others looking to do this is posted here:

    May 24, 2013 — 12:37
    • Joakim

      Hi Chris,

      Nice solution, I'll add that to my original post.
      / Joakim

      May 28, 2013 — 11:36
  • Leave a Reply

    Your email address will not be published.