is there a simple way to have win2k and winxp machines
automatically add an additional domain group to the local
administrators group when loggin in? i want to keep the
existing domain group in-tact on the local machine and
just add another.

As you hint at, the Restricted Groups feature of Group Policy replaces the
existing group membership.

Here's what I do. I configure a GPO for the OU containing my workstations.
I set a computer startup script (so it runs in the context of the machine)
and run the following command:

net localgroup administrators domain\group /add

In the dialogue box, I have "net" as the command and the remainder as the
parameters.

Hope this helps

Oli




"mark" <(E-Mail Removed)> wrote in message
news:a0b501c43479$51563d70$(E-Mail Removed)...
> is there a simple way to have win2k and winxp machines
> automatically add an additional domain group to the local
> administrators group when loggin in? i want to keep the
> existing domain group in-tact on the local machine and
> just add another.

We currently have a machine login script that actually runs (yes, we
fought long and hard to get it to do so). Unfortunately, our newly
upgraded domain tree is still flat with the servers in the same
container as the workstations. We have a group we wish to add to the
local administrator group of the workstations only. If we apply the
script to users we run into a similar problem as Domain Administrator
and other server-specific domain users are also in the same container as
all the other users.

I've been looking at combining the "net localgroup" concept with
IfMember. does IfMember work with computer accounts or just user
accounts???

If with computer accounts:

ifmember workstations
if not errorlevel 1 exit
net localgroup administrators domain\group /add

If only with user accounts:

ifmember mortalUsers
if not errorlevel 1 exit
net localgroup administrators domain\group /add


Oli Restorick [MVP] wrote:
> As you hint at, the Restricted Groups feature of Group Policy replaces the
> existing group membership.
>
> Here's what I do. I configure a GPO for the OU containing my workstations.
> I set a computer startup script (so it runs in the context of the machine)
> and run the following command:
>
> net localgroup administrators domain\group /add
>
> In the dialogue box, I have "net" as the command and the remainder as the
> parameters.
>
> Hope this helps
>
> Oli
>
>
>
>
> "mark" <(E-Mail Removed)> wrote in message
> news:a0b501c43479$51563d70$(E-Mail Removed)...
>
>>is there a simple way to have win2k and winxp machines
>>automatically add an additional domain group to the local
>>administrators group when loggin in? i want to keep the
>>existing domain group in-tact on the local machine and
>>just add another.
>
>
>

Hi Laura

You can do this very easily with GPO. If you right-click the GPO, you'll
find that you can change the security options for the GPO. Remove the
default apply option for "authenticated users" and add the specific security
group(s) you want. This is known as filtering.

I'd recommend you move your servers to one OU and your workstations to
another for ease of management.

Also, you should be aware that if you log in to any of these workstations
using a domain administrator account, those you have given administrative
access to the machine could become domain administrators with a bit of
scripting. It depends on your environment as to whether you see this as a
threat.

Hope this helps

Oli


"Laura" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> We currently have a machine login script that actually runs (yes, we
> fought long and hard to get it to do so). Unfortunately, our newly
> upgraded domain tree is still flat with the servers in the same container
> as the workstations. We have a group we wish to add to the local
> administrator group of the workstations only. If we apply the script to
> users we run into a similar problem as Domain Administrator and other
> server-specific domain users are also in the same container as all the
> other users.
>
> I've been looking at combining the "net localgroup" concept with
> IfMember. does IfMember work with computer accounts or just user
> accounts???
>
> If with computer accounts:
>
> ifmember workstations
> if not errorlevel 1 exit
> net localgroup administrators domain\group /add
>
> If only with user accounts:
>
> ifmember mortalUsers
> if not errorlevel 1 exit
> net localgroup administrators domain\group /add
>
>
> Oli Restorick [MVP] wrote:
>> As you hint at, the Restricted Groups feature of Group Policy replaces
>> the existing group membership.
>>
>> Here's what I do. I configure a GPO for the OU containing my
>> workstations. I set a computer startup script (so it runs in the context
>> of the machine) and run the following command:
>>
>> net localgroup administrators domain\group /add
>>
>> In the dialogue box, I have "net" as the command and the remainder as the
>> parameters.
>>
>> Hope this helps
>>
>> Oli
>>
>>
>>
>>
>> "mark" <(E-Mail Removed)> wrote in message
>> news:a0b501c43479$51563d70$(E-Mail Removed)...
>>
>>>is there a simple way to have win2k and winxp machines
>>>automatically add an additional domain group to the local
>>>administrators group when loggin in? i want to keep the
>>>existing domain group in-tact on the local machine and
>>>just add another.
>>
>>
>>
>

Laura <(E-Mail Removed)> wrote in message news:<#(E-Mail Removed)>...

> We have a group we wish to add to the
> local administrator group of the workstations only. If we apply the
> script to users we run into a similar problem as Domain Administrator
> and other server-specific domain users are also in the same container as
> all the other users.

You can put global groups in the local administrators with
the "restricted groups" Group Policy setting. To block this
setting from applying to servers, put your servers in a "servers"
group and remove/deny read and/or apply access to the GPO.

Here is the GPO path:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups

the following link contains detailed instructions:

http://support.microsoft.com/default...;EN-US;Q320065

I would reccomend this over trying to do this from a logon script.
If you are going to do this via script, it should be a _startup_ script
And even then, "restricted groups" Group Policy setting is the better way
to go.

--
Matt Hickman
..are we buying a spaceship, or are we getting to supper on
time?
- Robert A. Heinlein's _The Rolling Stones_