Ignoring the fact that giving admin rights is inadvisable.
Two possibilities exist, that I can think of, but require scripting.
First assumes your PCs have the main users user id in it as an identifier,
and as you are adding machine to an AD you could rename when you do that.
You could parse the machine name, e.g. OU-PC-USERNAME, to split on - take
the third part of the split and then use something like: net group
administrators USERNAME /ADD to add the user to the local machines
Administrators group.
Alternatively, and even less secure, is to add the users from a specific
group, or OU, to administrators by adding the domain group or OU members to
administrators as above. This would work if you have useable user groups and
OUs for this function that work together, e.g. finance users. You would also
need some sort of filtering for the machines as well, for example they are
in sub OUs which identify them with specific users, e.g. finance/computers.
Your script could then parse the FQDN to get the identifier OU and use that
to add the relevent user group/OU, e.g. finance-users.
Obviously specifics are dependent upon your OU structure, naming conventions
etc.
Adrian Pettitt
Loughborough University
|