adding domain group to workstations local admin group via GP?

G

Guest

Basically I need to accomplish two things

1. I need to have a group (in addition to the domain admins group) added to the local administrators group on workstations when added to the domain
2. I also need a way to push that additional group down to computers already in the domain without blowing away any specific user accounts already in the local administrators group on the desktops

If I add the groups I need to the restricted groups listing in GP I end up blowing away any users who have domain accounts that are local administrators

Do I need to do #2 through a script? If so does anyone have any suggestions for setting it up

Ideas? I have dug through the KB for ages on this...

-JW

(e-mail address removed)
 
J

Jerold Schulman

Basically I need to accomplish two things,

1. I need to have a group (in addition to the domain admins group) added to the local administrators group on workstations when added to the domain.
2. I also need a way to push that additional group down to computers already in the domain without blowing away any specific user accounts already in the local administrators group on the desktops.

If I add the groups I need to the restricted groups listing in GP I end up blowing away any users who have domain accounts that are local administrators.

Do I need to do #2 through a script? If so does anyone have any suggestions for setting it up?

Ideas? I have dug through the KB for ages on this...

-JWP

(e-mail address removed)
Click to expand...


See tip 5319 in the 'Tips & Tricks' at http://www.jsiinc.com

If you elect to do it by script, you can use tip 4195 to run
net localgroup Administrators "DomainName\YourGroup" /add




Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
G

Guest

Last time I used the restricted groups GP it removed all other domain users from the administrators group... so with \domain\billybob in the administrator group of his machine, I then added a group to the restricted GP, the new groups were in the local administrator group but \domain\billybob was kicked out

So I will try the script... isn't there a way to modify the domain joining process to insert a group in addition to the domain administrator to the local administrator group at the time the machine is added to the domain

-JW

----- Jerold Schulman wrote: ----

On Tue, 11 Nov 2003 11:56:05 -0800, "Joe Petrocy
Basically I need to accomplish two things
2. I also need a way to push that additional group down to computers already in the domain without blowing away any specific user accounts already in the local administrators group on the desktops
Click to expand...


See tip 5319 in the 'Tips & Tricks' at http://www.jsiinc.co

If you elect to do it by script, you can use tip 4195 to ru
net localgroup Administrators "DomainName\YourGroup" /ad




Jerold Schulma
Windows: General MV
JSI, Inc
http://www.jsiinc.co
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local admin privileges gone haywire 1
cannot add local user to local group 6
Adding Groups to Local Admin group using GPO 6
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Making a Domain Group Local Admins Via Group Policy 2
Adding workstations to domain 1
GP -- adding workstation to domain 3
Add additional groups to local Administrators group on Workstation when it joins the domain 3

Top