Add Domain Group to Local Admin Group

M

mark

is there a simple way to have win2k and winxp machines
automatically add an additional domain group to the local
administrators group when loggin in? i want to keep the
existing domain group in-tact on the local machine and
just add another.
 
O

Oli Restorick [MVP]

As you hint at, the Restricted Groups feature of Group Policy replaces the
existing group membership.

Here's what I do. I configure a GPO for the OU containing my workstations.
I set a computer startup script (so it runs in the context of the machine)
and run the following command:

net localgroup administrators domain\group /add

In the dialogue box, I have "net" as the command and the remainder as the
parameters.

Hope this helps

Oli
 
L

Laura

We currently have a machine login script that actually runs (yes, we
fought long and hard to get it to do so). Unfortunately, our newly
upgraded domain tree is still flat with the servers in the same
container as the workstations. We have a group we wish to add to the
local administrator group of the workstations only. If we apply the
script to users we run into a similar problem as Domain Administrator
and other server-specific domain users are also in the same container as
all the other users.

I've been looking at combining the "net localgroup" concept with
IfMember. does IfMember work with computer accounts or just user
accounts???

If with computer accounts:

ifmember workstations
if not errorlevel 1 exit
net localgroup administrators domain\group /add

If only with user accounts:

ifmember mortalUsers
if not errorlevel 1 exit
net localgroup administrators domain\group /add
 
O

Oli Restorick [MVP]

Hi Laura

You can do this very easily with GPO. If you right-click the GPO, you'll
find that you can change the security options for the GPO. Remove the
default apply option for "authenticated users" and add the specific security
group(s) you want. This is known as filtering.

I'd recommend you move your servers to one OU and your workstations to
another for ease of management.

Also, you should be aware that if you log in to any of these workstations
using a domain administrator account, those you have given administrative
access to the machine could become domain administrators with a bit of
scripting. It depends on your environment as to whether you see this as a
threat.

Hope this helps

Oli
 
M

Matt Hickman

Laura said:
We have a group we wish to add to the
local administrator group of the workstations only. If we apply the
script to users we run into a similar problem as Domain Administrator
and other server-specific domain users are also in the same container as
all the other users.
Click to expand...

You can put global groups in the local administrators with
the "restricted groups" Group Policy setting. To block this
setting from applying to servers, put your servers in a "servers"
group and remove/deny read and/or apply access to the GPO.

Here is the GPO path:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups

the following link contains detailed instructions:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q320065

I would reccomend this over trying to do this from a logon script.
If you are going to do this via script, it should be a _startup_ script
And even then, "restricted groups" Group Policy setting is the better way
to go.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local user V/s Domain user 1
Local Admin & Group Policy Question 6
Removing domain local groups from Wind XP local administrators group 7
Restricted Groups Problem 3
Restricted Groups: "Member of" and add Domain Groups to local Groups 1
Can't view built-in groups in a remote domain 3
Adding Users to Local Admin Group 1
Allow log on through Terminal Services 1

Top