Adding global groups to local admin groups on remote machines

[Shawn]

(win2k network)

I have about 1400 machines in the building I support. I
want to put a couple of administrative groups in each
machines local admin group. The problem is that the only
current permissions I have would require me to log in to
each machine as the local admin and add the groups. I
have been using the console useradmin from the resource
kit and was able to put together a script that attempts to
put these global groups in each machines local admin group
but most of them fail due to permissions issues. All the
local machines have the same local admin login and
password. So I guess I am looking to either automate the
login to each machine for this script to run with the
permissions it needs (such as a remote runas w/sanur) -(I
have thought of using psexec but this would be an extreme
hassle as I would have to copy a resouce kit file to every
single machine.) Or maybe if there is a way to have this
run from each machines system account? Or is there
something different all together anyone could recommend?

thx

-shawn

 

[Guest]

are there any commands that accept %localmachine%
\administrator or something similar?

thx

-s

 

[Oli Restorick [MVP]]

The way I do this is to use a computer startup script in active directory
containing the following.

net localgroup administrators wksadmins /add /domain

Because this runs as a computer startup script, it runs in the context of
the local computer, rather than a user.

There is also the restricted group feature of Active Directory, but it has
the side-effect of removing any existing members of the group.

Hope this helps

Oli

 

[Guest]

You can use "Net Group". But this only run from a Server

Next is WSH. It is very fast and you can use it from any Machine o
put it in the Logon. Lokk at the link below
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/iadsgroup.as

Greets, Frank

 

[Oli Restorick [MVP]]

Only run from a server? I was talking about running it on the local machine
group policy.

What I described is the way I do this.

Regards

Oli

 

[Matt Hickman]

(win2k network)

I have about 1400 machines in the building I support. I
want to put a couple of administrative groups in each
machines local admin group.

If your 1,400 machines are in your AD, you can put global groups
in the local administrators with the "restricted groups" Group
Policy setting.

Computer Configuration\Windows Settings\Security Settings\Restricted Groups

the following link contains detailed instructions
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q320065

 

[Guest]

The command 'Net Localgroup Administrators GlobalGroup / Add / Domai
don`t work on my W2K Pro Machine. Only I can add is a local Group
I`m not a Full Admin of my Domain and I can`t create any new Policy, so I have to do it from the Clients Workstation
I try to do it with 'Net localgroup, but it doesen`t work. Should I do anything wrong
I realize it with vbs like this
'Set grp = GetObject("WinNT://Domain/"& pc &"/Administrators"
'grp.Add("WinNT://GlobalGroup"
'Set.Inf

I can use this Script from any Workstation and it works great
But I`m also interrested how do you use the "Net localgroup" command from a Workstation

Regards, Frank