Adding group/user to local Admins group on all workstations?

[Barkley Bees]

Somewhat related to my previous post, can anyone recommend how to add an AD
group/user to the local administrators group for all workstations (XP/2000)
in a domain? I imagine it would be via Group Policy but I welcome any
suggestions. Thank you.

 

[Florian Frommherz [MVP]]

Howdie!

Somewhat related to my previous post, can anyone recommend how to add an AD
group/user to the local administrators group for all workstations (XP/2000)
in a domain? I imagine it would be via Group Policy but I welcome any
suggestions. Thank you.

Restricted Groups is what you're looking for:
http://www.frickelsoft.net/blog/?p=13

cheers,

Florian

 

[Paul Bergson [MVP-DS]]

You could use the restricted user group gpo setting


computer configuration \ windows settings \ restricted groups

group = your group to be made local admins
member of = BUILTIN\Administrators



http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

http://www.microsoft.com/technet/pr...Ref/156780ef-eb36-4433-b3fe-1b1a15c18f6a.mspx

http://www.microsoft.com/resources/...all/proddocs/en-us/sag_scerestrictgroups.mspx


There is absolutely nothing that has to be done on the client side.

Create the gpo in the ou where the Computers reside (NOT the users), go to
computer configuration/windows settings/security settings/restricted groups,
right click on restricted groups and select new group (For the local
computers, this group name should be - administrators) and key in the group
you want auto populated. Select add on the Members of this group and then
add the members you want populated.

Note: Be aware that the higher you place this setting within the domains
group policy the possibility exists it is applied to machines you may not
want it applied to. With this in mind you should try and avoid this setting
at the domain level, with the exception on the domain admins group. We have
some users who are local admins on machines and for some reason they feel
compelled to remove the domain admins from their local administrators group.
Setting this at the domain level manages these annoying users.


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Barkley Bees]

Thanks for the informative pointers Paul. I have one more question on this
matter. I read on technet that the restricted group policy will overwrite
existing group permissions on computer with this GPO applied. So, I imagine
that in addition to the group we want to add, we should have the 'domain
admins' group included in the policy.

Also, in our case we allow users to have local admin rights on their own
machines (belive it or not) so how could we implement this without it
overwriting and removing them from their local Administrators group? I
imagine that if we need to do this the restricted groups policy may not be
the best route for us?

 

[Roger Abell [MVP]]

The overwrite / replace all membership behavior is what
happens when one used the Member list after naming the
group whose members is to be controlled.
Here one names the group to be made a member and name
the group in which it should be a member in the MemberOf
list, and there is no total overwrite/replace.

Roger