ADMT domain admin account not in local administrators (guidance sought!)


A

Andy

Hi.


We have had AD problems with our original single domain in a single forest
and we have used ADMT 2.0 to migrate user & computer accounts over to a new
single domain in a new forest.

Users have migrated perfectly complete with passwords, computer accounts
have migrated but for some reason the domain administrator account for the
new domain has not been added to the local admin group on the workstation.
However the domain admin account for the old domain has been removed.

Is there a easy way to add the domain admin account into the local admin
account of all those computers (we have over 600!)

I should also add that we are running Windows Server 2003 in 2003 native
mode domain & forest. Our clients are all XP pro with a mix of SP1 and SP2

Any tips appreciated

Thanks,

Andy.
 
Ad

Advertisements

E

Eugene Byelyakov

If all of your PCs have similar local admin password you're lucky.

I see several approaches to accomplish your task:

1. use script that runs "net group". You will probably need to use
runas. Drawback is that you have to specify admin username and
password in script body.

2. Use VBScript.

To run it under other user's security context you will need
"SFImpersonator" from
http://cwashington.netreach.net/main/tools/default.asp?topic=n-z


Then just simple script to add Domain Admins group into local

'Determine PC name
Set objShell = WScript.CreateObject("WScript.Shell")
Set colSysEnvVars = objShell.Environment("Process")
vLocalPC=colSysEnvVars ("COMPUTERNAME")

'Connect to local SAM and do what you need
Administrators group. Set objGroup = GetObject("WinNT://" & vLocalPCr
& "/Administrators,group")
Set objUser = GetObject("LDAP://cn=Domain
Admins,ou=users,dc=mydomain,dc=local")
objGroup.Add(objUser.ADsPath)
 
A

Aleksey Tchekmarev

You can safely use this approach, if local Administrators group only contains
accounts defined through Group Policies (Domain Administrators, etc.) - all
other accounts will be deleted from Administrators group!
 
Ad

Advertisements

A

Andy

Aleksey Tchekmarev said:
You can safely use this approach, if local Administrators group only contains
accounts defined through Group Policies (Domain Administrators, etc.) - all
other accounts will be deleted from Administrators group!

Thanks for the advice guys, I will try this out and post back the results.
Thank you!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top