Local Admins via GPO?

[Dan]

Is it possible to add the Domain Admins group to the local
admin group on each PC without disturbing the existing
accounts in the local admin group? I have looked at
restricted groups but everything I've tried kills the
other accounts in the local admin group and that can't
happen. All I want is to ensure that the domain admins
are there regardless of users deleting them or not.
Thanks,
Dan

 

[Cary Shultz [A.D. MVP]]

Dan,

This is the normal behavior. What happens is that the 'focus' group
replaces all of the current members of that particular local Group. There
are a couple of ways to avoid not having the Domain Admins group as a member
of the local Administrators group.

The first one would be to use the RG GPO as-is but add two groups: the one
that you have created and the Domain Admins. This would be one way. Now,
only the group that you have created and the Domain Admins group will be
members of the local Administrators group on the PCs that fall under the
Scope of Management ( I just love this term! ).

Another way is to take a look at the following MSKB Article:

http://support.microsoft.com/?id=810076

This gives you that patch that will change the behavior of the RG GPO. You
need to contact MS-PSS but will not be charged. Make sure that you get both
the WIN2000 and the WINXP Pro file ( assuming that you have both ). You
will need to install this patch on each and every PC in your environment.

Another method is to use the 'net' command that you put in a start up
script.

HTH,

Cary