Remotely changing admin group membership on clients

[SCavignac]

I am looking for a way to add a domain account to the local
Admnistrator's group on all the Windows 2000 and Windows XP
workstations in the domain.

I do not want to add the account to the Domain Admins group because I
do not want the person logging on to the local machine to perform
certain tasks (which require administrative privilege) to be able to
add or remove the workstation from the domain. The user account I want
to use also needs to be able to connect remotely to administrative
shares on the workstations.

I was hoping to be able to use Group Policy or some other 'centralized'
method to be able to place a domain user account or global group in the
local admin group.

I am open to any other suggestions as well.

I really don't want to visit every workstation and add the user
manually.

Any ideas?


SCavignac

 

[Joe Richards [MVP]]

You can use a restricted groups GPO but that will wipe the current
membership of the group and set it to what you want. I.E. If someone is set
locally, they will be gone.

You can use a startup script that has a line like NET LOCALGROUP
ADMINISTRATORS DOMAIN\GROUP /ADD
This will add the specific group but will only work when the machines are
rebooted.

Finally you could write some sort of script that loops through all of the
machines and either does an ADSI modify call or parses out to a command like
tool like LG (free win32 tools page of www.joeware.net ) to force the group
membership addition, however you need to be an admin on the machines to do
that.

joe