Adding Groups to Local Admin group using GPO

J

Joe

Hi all.

Need a help with this.

I need to add a Domain Local Group into all Local
Administrators groups of a domain's workstations using GPO
(manually could be a nightmare, i have more than 300 PCs
attached to the Domain, but i tried in a couple of 'em and
it worked). I'tried all, including steps/advice on these
articles: Microsoft Knowledge Base Article - 320065 &
Microsoft Knowledge Base Article - 810076 ... but it does
not work, i'm doin' something wrong. All machines have the
most recent Service Packs. Please, help.

Joe.
 
C

Cary Shultz [A.D. MVP]

Joe,

It does work. I do it all the time. You have to follow the steps in 320065
to the tee. Meaning, you have to use a WIN2000 Pro system with the ADMINPAK
installed to do from step three on.

Maybe you can let us know your exact steps? And what do you mean by 'it
does not work'?

HTH,

Cary
 
J

Joe

1st, thanks for reply.

Ok, i would like to say that i DO NOT WANT to
excluder/delete other users from Local Admin Group; this
is how this GPO will work, right? ...

How, these are the septs i'm following to:
1.From Domain Controller, i create the Domain Local Group
2.From Domain Controller, I create an OU. Then, drag my
computer account within.
3.I go to a member server (my own machine that uses W2K
Server with SP4 and patches) and use AD Users and Groups
(i already installed Admin Pack).
4.Go to the OU, right click, etc ...and i added the Local
Admin Group.
4.Right click, security ...and To the right side of the
Members of this Group box, click ADD, and then click
Browse.... and i CAN NOT find my Domain Local Group, i
recieved and error that group does not exist, but it
does.... <---- MY PROBLEM.
 
J

Joe

Ok, finally, i was able to write the Group within the
Member Of field (i wrote the Domain plus name of the
group: Domain\GroupName) Anyway, i ran the refreshpolicy
command FROM MY OWN MEMBER SERVER, but nothing happens. I
got one user on the Local Group, so after GPO, it should
have this user plus the new Domain Security Local Group,
and i see nothing, i mean, just the initial user; Domain
Local Group wasn't added to the Local Group.

?
 
S

SixDoubleO

Joe,

I do this from a logon script. Assuming you have a logon script that
runs with admin rights, why not just do it like this?

Let's assume you have a domain called "MyDomain" and a domain group
called "WSAdmins".

echo Checking Workstation Administrator Access...

:chkwsadmins
net localgroup Administrators | find /i "MyDomain\wsadmins"

if errorlevel 1 goto nowsadmins


:nowsadmins
echo "MyDomain\WSAdmins not in local Administrators Group - Adding them
now."
net localgroup Administrators "MyDomain\WSAdmins" /add

:weredone
echo WSAdmin Check Complete.
net localgroup Administrators > \\MyPDC\misclog$\wsadmin\%computername%.log


Sorry if this is obvious, but it's how I would do it. If you DON'T have
a logon script running with admin access, I would schedule something or
do a RunAs (or Sanur) or something of that nature.
 
J

Jerold Schulman

Hi all.

Need a help with this.

I need to add a Domain Local Group into all Local
Administrators groups of a domain's workstations using GPO
(manually could be a nightmare, i have more than 300 PCs
attached to the Domain, but i tried in a couple of 'em and
it worked). I'tried all, including steps/advice on these
articles: Microsoft Knowledge Base Article - 320065 &
Microsoft Knowledge Base Article - 810076 ... but it does
not work, i'm doin' something wrong. All machines have the
most recent Service Packs. Please, help.

Joe.
Click to expand...


See tip 4195 in the 'Tips & Tricks' at http://www.jsiinc.com

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
J

Jerold Schulman

Hi all.

Need a help with this.

I need to add a Domain Local Group into all Local
Administrators groups of a domain's workstations using GPO
(manually could be a nightmare, i have more than 300 PCs
attached to the Domain, but i tried in a couple of 'em and
it worked). I'tried all, including steps/advice on these
articles: Microsoft Knowledge Base Article - 320065 &
Microsoft Knowledge Base Article - 810076 ... but it does
not work, i'm doin' something wrong. All machines have the
most recent Service Packs. Please, help.

Joe.
Click to expand...

See tip 4195 in the 'Tips & Tricks' at http://www.jsiinc.com


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Adding Groups to Local Admin group using GPO 1
Removing domain local groups from Wind XP local administrators gro 3
adding enterprise admins group to every workstation local admin group 1
adding domain group to workstations local admin group via GP? 2
Local admin privileges gone haywire 1
how to retain existing local group members 5
Configure a Global Group to Be a Member of Local Administrator Gro 1
Global groups missing from local group on W2K Pro 2

Top