Add additional groups to local Administrators group on Workstation when it joins the domain

M

mniccum

How can I automatically add additonal groups to the local
Administrators group on a workstation when it joins the domain.
Currently only Domain Admins get added. I was thinking it was
somewhere in the configuration container in AD, but I can't seem to
find it.

I am looking for the actual location where Domain Admins is stored as
the group to add to a workstation as it gets joined to the domain. I
think it's stored in AD. I am not looking for a VBS or script type
solution.

Thanks,

Mike
 
J

Joe Richards [MVP]

Probably the simplest mechanism would be to have a GPO that has a startup script
configured to do this addition.

There is nothing you can do to change the group added during the actual join.
That is hard coded functionality in the OS of the client.

joe
 
C

Cary Shultz [A.D. MVP]

Good afternoon all!

I would suggest that you take a look at the Restricted Groups Group Policy.
And be aware that the default behavior is to simply add whatever groups you
specify. If this is not what you want ( although is sounds like you do want
this behavior ) then you need to get the patch for it ( add note that there
is a specific patch for WIN2000 and a specific patch for WINXP ) and apply
the appropriate patch to each and every machine in your environment. Then
make use of the GPO. With the patch applied, the GPO will flush out the
contents of your 'focus' group ( in your case, the local Administrator
group ) and populate it with the group(s) that you specify in the GPO.

HTH,

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
D

Deji Akomolafe

Another option is to use the "MemberOf" option in a "Restricted Groups" GPO.

Say the group is called GrpA and you want it to be a member of the
administrators group in every client in ClientsOU. You will create and apply
a group policy to ClientsOU. In that policy, you will create a restricted
group object, by adding GrpA. Then in the properties, you will choose the
"this group is a member of:" and type in "administrators".



--

Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Unable to add domain users to local groups 3
Removing domain local groups from Wind XP local administrators gro 3
GP -- adding workstation to domain 3
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Domain privlideges not applied to workstation in domain 1
adding workstation to domain 1
Remove domain admins from local admins group on specific servers 6
Adding Computer To AD 1

Top