Laura said:
We have a group we wish to add to the
local administrator group of the workstations only. If we apply the
script to users we run into a similar problem as Domain Administrator
and other server-specific domain users are also in the same container as
all the other users.
You can put global groups in the local administrators with
the "restricted groups" Group Policy setting. To block this
setting from applying to servers, put your servers in a "servers"
group and remove/deny read and/or apply access to the GPO.
Here is the GPO path:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups
the following link contains detailed instructions:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q320065
I would reccomend this over trying to do this from a logon script.
If you are going to do this via script, it should be a _startup_ script
And even then, "restricted groups" Group Policy setting is the better way
to go.