Script that adds domain grp to local Admn group when joini..

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello,

I have a Help Desk group solely for troublshooting PC's across the 2003
domain and that set up and configure PC's for the domain. On all PC's in the
domain, I ran a program that added the group 'PCAdmins' to every local Admin
group in the domain.
The problem I have now is how do I have a Help Desk tech join a PC to the
domain and have the PCAdmins group already added to the local Admin group.
Since the tech is just a Domain user and a member of the PCAdmins group, how
can the group get added for him to administrate just the PC?
5 answers Last reply
More about script adds domain local admn group joini
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Also to add to the original post, I know I can add a startup script to a GPO
    and use the command

    net localgroup Administrators /add "domain\group_name"

    But that will not run until the computer object is moved into the container
    that has the GPO configured. by default you cannot add a GPO to the default
    Computer container and the Help Desk techs have not delegation to AD
    whatsoever so they cannot move the computer object into the container that
    has the GPO configured. Someone please help!!! Please!!!

    Jimmy K

    "Jimmy K" wrote:

    > Hello,
    >
    > I have a Help Desk group solely for troublshooting PC's across the 2003
    > domain and that set up and configure PC's for the domain. On all PC's in the
    > domain, I ran a program that added the group 'PCAdmins' to every local Admin
    > group in the domain.
    > The problem I have now is how do I have a Help Desk tech join a PC to the
    > domain and have the PCAdmins group already added to the local Admin group.
    > Since the tech is just a Domain user and a member of the PCAdmins group, how
    > can the group get added for him to administrate just the PC?
    >
  2. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Jimmy K wrote:

    > Hello,
    >
    > I have a Help Desk group solely for troublshooting PC's across the 2003
    > domain and that set up and configure PC's for the domain. On all PC's in the
    > domain, I ran a program that added the group 'PCAdmins' to every local Admin
    > group in the domain.
    > The problem I have now is how do I have a Help Desk tech join a PC to the

    edit the domain policy (and maybe the domain controller policy as well)
    Comp Configuration->Windows settings->Security Settings->user rights
    assignment->Add workstations to a domain
    edit that setting to include the PCAdmins group

    >
    > domain and have the PCAdmins group already added to the local Admin group.
    > Since the tech is just a Domain user and a member of the PCAdmins group, how
    > can the group get added for him to administrate just the PC?

    that would be "administer", not "administrate" and the tech stil needs an
    administrator level password to join the PC to the domain.
  3. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Jimmy K wrote:

    > Also to add to the original post, I know I can add a startup script to a GPO
    > and use the command
    >
    > net localgroup Administrators /add "domain\group_name"
    >
    > But that will not run until the computer object is moved into the container
    > that has the GPO configured. by default you cannot add a GPO to the default
    > Computer container and the Help Desk techs have not delegation to AD
    > whatsoever so they cannot move the computer object into the container that
    > has the GPO configured. Someone please help!!! Please!!!

    As in the last mesg I posted, edit the domain policy(admin templates section) to
    have a startup script run your command. The domain policy would be the only one
    that would work for you since you haven't moved the computers out of the Computers
    folder yet.

    >
    >
    > Jimmy K
    >
    > "Jimmy K" wrote:
    >
    > > Hello,
    > >
    > > I have a Help Desk group solely for troublshooting PC's across the 2003
    > > domain and that set up and configure PC's for the domain. On all PC's in the
    > > domain, I ran a program that added the group 'PCAdmins' to every local Admin
    > > group in the domain.
    > > The problem I have now is how do I have a Help Desk tech join a PC to the
    > > domain and have the PCAdmins group already added to the local Admin group.
    > > Since the tech is just a Domain user and a member of the PCAdmins group, how
    > > can the group get added for him to administrate just the PC?
    > >
  4. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Hi Brandon,

    Thanks for your help, though the startup script in the domain policy did not
    work. I tried it on the Default Domain policy and under the Domain
    Controllers Policy container and still did not work. I do not believe that
    the Computers container falls under any of those policy hierarchies. Any
    other ideas?
    Also, by default, Authenticated users can join any computer onto the network
    and all you need is the password of any user that has the right to join any
    comptuer to the network. Please do not assume that I took that group out
    unless you had no clue that was the deault permission for joining a computer
    to the network.
    So far both your suggestions did not work. Any other ideas?

    Jimmy K

    "Brandon McCombs" wrote:

    >
    >
    > Jimmy K wrote:
    >
    > > Hello,
    > >
    > > I have a Help Desk group solely for troublshooting PC's across the 2003
    > > domain and that set up and configure PC's for the domain. On all PC's in the
    > > domain, I ran a program that added the group 'PCAdmins' to every local Admin
    > > group in the domain.
    > > The problem I have now is how do I have a Help Desk tech join a PC to the
    >
    > edit the domain policy (and maybe the domain controller policy as well)
    > Comp Configuration->Windows settings->Security Settings->user rights
    > assignment->Add workstations to a domain
    > edit that setting to include the PCAdmins group
    >
    > >
    > > domain and have the PCAdmins group already added to the local Admin group.
    > > Since the tech is just a Domain user and a member of the PCAdmins group, how
    > > can the group get added for him to administrate just the PC?
    >
    > that would be "administer", not "administrate" and the tech stil needs an
    > administrator level password to join the PC to the domain.
    >
    >
  5. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    Actually, settings in the Default Domain policy will apply to the
    Computers container. However I don't think you could get that script to
    work from GPO without elevating the script's privileges first.

    Stupid question perhaps, but are you setting up new servers from an
    image? Many people don't realize you can add your "gold" image server
    to the domain, add the appropriate domain groups to local groups or
    acls, then remove the server from the domain and those sids will
    remain. Sysprep and create your image, then new servers created from
    that image will already have the necessary accounts applied as soon as
    they're added to the domain.
Ask a new question

Read More

Domain Active Directory Microsoft Help Desk Windows