Adding a group to local admin group

[Guest]

Hello all, I need to add a security domain security group to all the PCs
local Administrators group within our network of just under 100 PCs.

Is there a way I can do this via some kind of script or even group policy?
I'm planning to it it individually using the computer management console but
as you, it will take quite a bit of time.

The aim is to make support issues with PCs much easier by being able to
login with a certain user account that will have local rights to all PCs
within our domain. At the moment, we login with the domain admin account
which is obviously bad practice.

Thanks

 

[Lanwench [MVP - Exchange]]

Hello all, I need to add a security domain security group to all the
PCs local Administrators group within our network of just under 100
PCs.

Note that you'd probably be better off posting questions like this in
m.p.windows.server.active_directory or m.p.windows.group_policy.

Is there a way I can do this via some kind of script

Yes, a simple batch file startup script applied via GPO to all workstations
(linked at the appropriate OU)...see below.

or even group
policy?

Yes - restricted groups are one way (but I personally don't use that)

I'm planning to it it individually using the computer
management console but as you, it will take quite a bit of time.

The aim is to make support issues with PCs much easier by being able
to login with a certain user account that will have local rights to
all PCs within our domain. At the moment, we login with the domain
admin account which is obviously bad practice.

Thanks

Here's what I do -

* Create a domain user called something logical (I use "demigod" but you
could use whatever you like)
* Create an AD universal security group called LocalAdmin and make demigod a
member
* Create an AD universal security group called LocalPowerUser (don't need
any members right now but this can be handy too).
* Create an AD universal security group called RDUsers (for remote desktop
users)

The batch file would have this:
.........
net localgroup administrators DOMAIN\localadmin /add
net localgroup power users DOMAIN\localpoweruser /add
net localgroup remote desktop users DOMAIN\RDusers /add
.........


You can create/link a new GPO at the appropriate OU where your computers
live (if you haven't created custom ones, you'll need to - unless you're
using SBS, which creates its own hierarchy).

Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
(startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever

All the computers in this OU should have the startup script applied when
they restart, and you can now control all this at the server.

When I set up a new user, I often find I need to add their domain account to
LocalAdmin before I log in as them the first time to customize their
profile/install any sw that must be installed by the user him/herself (such
as PDA stuff) ...then I remove them from the domain LocalAdmin group when
done.

I use Demigod for software installs/etc.

NOTE: Restricted groups are often a better idea - but the reason I don't
like them is that they always override any locally-set group membership,
which is not always what I want.

 

[Guest]

That works a treat Lanwench, thanks.

Just side question though, what does demigod mean/ stand for?

 

[Malke]

That works a treat Lanwench, thanks.

Just side question though, what does demigod mean/ stand for?

From Dictionary.com (but a quick "define demigod" on Google would have
worked for you, too):

dem·i·god - noun

1. a mythological being who is partly divine and partly human; an
inferior deity.
2. deified mortal.


Malke

 

[Guest]

Note that you'd probably be better off posting questions like this in
m.p.windows.server.active_directory or m.p.windows.group_policy.

Yes, a simple batch file startup script applied via GPO to all workstations
(linked at the appropriate OU)...see below.


Yes - restricted groups are one way (but I personally don't use that)


Here's what I do -

* Create a domain user called something logical (I use "demigod" but you
could use whatever you like)
* Create an AD universal security group called LocalAdmin and make demigod a
member
* Create an AD universal security group called LocalPowerUser (don't need
any members right now but this can be handy too).
* Create an AD universal security group called RDUsers (for remote desktop
users)

The batch file would have this:
.........
net localgroup administrators DOMAIN\localadmin /add
net localgroup power users DOMAIN\localpoweruser /add
net localgroup remote desktop users DOMAIN\RDusers /add
.........


You can create/link a new GPO at the appropriate OU where your computers
live (if you haven't created custom ones, you'll need to - unless you're
using SBS, which creates its own hierarchy).

Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
(startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever

All the computers in this OU should have the startup script applied when
they restart, and you can now control all this at the server.

When I set up a new user, I often find I need to add their domain account to
LocalAdmin before I log in as them the first time to customize their
profile/install any sw that must be installed by the user him/herself (such
as PDA stuff) ...then I remove them from the domain LocalAdmin group when
done.

I use Demigod for software installs/etc.

NOTE: Restricted groups are often a better idea - but the reason I don't
like them is that they always override any locally-set group membership,
which is not always what I want.