(win2k network)

I have about 1400 machines in the building I support. I
want to put a couple of administrative groups in each
machines local admin group. The problem is that the only
current permissions I have would require me to log in to
each machine as the local admin and add the groups. I
have been using the console useradmin from the resource
kit and was able to put together a script that attempts to
put these global groups in each machines local admin group
but most of them fail due to permissions issues. All the
local machines have the same local admin login and
password. So I guess I am looking to either automate the
login to each machine for this script to run with the
permissions it needs (such as a remote runas w/sanur) -(I
have thought of using psexec but this would be an extreme
hassle as I would have to copy a resouce kit file to every
single machine.) Or maybe if there is a way to have this
run from each machines system account? Or is there
something different all together anyone could recommend?

thx

-shawn

are there any commands that accept %localmachine%
\administrator or something similar?

thx

-s
>-----Original Message-----
>(win2k network)
>
>I have about 1400 machines in the building I support. I
>want to put a couple of administrative groups in each
>machines local admin group. The problem is that the only
>current permissions I have would require me to log in to
>each machine as the local admin and add the groups. I
>have been using the console useradmin from the resource
>kit and was able to put together a script that attempts
to
>put these global groups in each machines local admin
group
>but most of them fail due to permissions issues. All the
>local machines have the same local admin login and
>password. So I guess I am looking to either automate the
>login to each machine for this script to run with the
>permissions it needs (such as a remote runas w/sanur) -(I
>have thought of using psexec but this would be an extreme
>hassle as I would have to copy a resouce kit file to
every
>single machine.) Or maybe if there is a way to have this
>run from each machines system account? Or is there
>something different all together anyone could recommend?
>
>thx
>
>-shawn
>.
>

The way I do this is to use a computer startup script in active directory
containing the following.

net localgroup administrators wksadmins /add /domain

Because this runs as a computer startup script, it runs in the context of
the local computer, rather than a user.

There is also the restricted group feature of Active Directory, but it has
the side-effect of removing any existing members of the group.

Hope this helps

Oli



"Shawn" <(E-Mail Removed)> wrote in message
news:1bbae01c420c7$7fac3730$(E-Mail Removed)...
> (win2k network)
>
> I have about 1400 machines in the building I support. I
> want to put a couple of administrative groups in each
> machines local admin group. The problem is that the only
> current permissions I have would require me to log in to
> each machine as the local admin and add the groups. I
> have been using the console useradmin from the resource
> kit and was able to put together a script that attempts to
> put these global groups in each machines local admin group
> but most of them fail due to permissions issues. All the
> local machines have the same local admin login and
> password. So I guess I am looking to either automate the
> login to each machine for this script to run with the
> permissions it needs (such as a remote runas w/sanur) -(I
> have thought of using psexec but this would be an extreme
> hassle as I would have to copy a resouce kit file to every
> single machine.) Or maybe if there is a way to have this
> run from each machines system account? Or is there
> something different all together anyone could recommend?
>
> thx
>
> -shawn

You can use "Net Group". But this only run from a Server

Next is WSH. It is very fast and you can use it from any Machine o
put it in the Logon. Lokk at the link below
http://msdn.microsoft.com/library/de...i/iadsgroup.as

Greets, Frank

Only run from a server? I was talking about running it on the local machine
group policy.

What I described is the way I do this.

Regards

Oli


"Frank W." <(E-Mail Removed)> wrote in message
news:FCE3BF9B-E61F-4AFE-8712-(E-Mail Removed)...
> You can use "Net Group". But this only run from a Server.
>
> Next is WSH. It is very fast and you can use it from any Machine or
> put it in the Logon. Lokk at the link below:
> http://msdn.microsoft.com/library/de.../iadsgroup.asp
>
> Greets, Frank

"Shawn" <(E-Mail Removed)> wrote in message news:<1bbae01c420c7$7fac3730$(E-Mail Removed)>...
> (win2k network)
>
> I have about 1400 machines in the building I support. I
> want to put a couple of administrative groups in each
> machines local admin group.

If your 1,400 machines are in your AD, you can put global groups
in the local administrators with the "restricted groups" Group
Policy setting.

Computer Configuration\Windows Settings\Security Settings\Restricted Groups

the following link contains detailed instructions
http://support.microsoft.com/default...;EN-US;Q320065

--
Matt Hickman
Ancient history is awesome.
- Robert A. Heinlein _Citizen of the Galaxy_

The command 'Net Localgroup Administrators GlobalGroup / Add / Domai
don`t work on my W2K Pro Machine. Only I can add is a local Group
I`m not a Full Admin of my Domain and I can`t create any new Policy, so I have to do it from the Clients Workstation
I try to do it with 'Net localgroup, but it doesen`t work. Should I do anything wrong
I realize it with vbs like this
'Set grp = GetObject("WinNT://Domain/"& pc &"/Administrators"
'grp.Add("WinNT://GlobalGroup"
'Set.Inf

I can use this Script from any Workstation and it works great
But I`m also interrested how do you use the "Net localgroup" command from a Workstation

Regards, Frank