Sign in with
Sign up | Sign in
Your question

Add domain Admin account to all Win2k Clients local admin ..

Tags:
  • Domain
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
May 7, 2004 11:41:13 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hello,

I posted this question about a week ago, received an answer with an includeds script and I have just spent nearly two hours searching to find that post and I cant!!

We have about 500 win2k client machines in our environment, we add a domain administrator account to the local admin group of our win2k clients to permit vulnerability scanning, patch management, etc. About 250 of our machines do not have this account added. I know there is a script that you can apply to the computer accounts in the run scripts at logon gpo that will apply a domain admin user to the local admin group of all win2k/xp clients that the policy applies to.

Could someone please post that script. It was an MVP last time, I dont remember who it was, or what darn name i posted under or what i called the topic, or what section i posted under so I cant find that post now :-(

Many thanks!!

More about : add domain admin account win2k clients local admin

Anonymous
May 7, 2004 2:48:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

If you are using Active Directory, add "Administrators" to the list of
Restricted Groups within Group Policy, then add Domain Admins as the
allowable member of the Administrators group. The local group will be
updated to reflect this change the next time that Group Policies are
refreshed.

Caveat - this will remove anyone other than Domain Admins from the local
Administrators group, so you may need to customize the group membership
based on your specific configuration.

--
******************************
Laura E. Hunter - MCSE, MCT, MVP
Replies to newsgroup only


"a_user" <anonymous@discussions.microsoft.com> wrote in message
news:7ECAD43B-3403-44D7-A04D-073EC8E7F85B@microsoft.com...
> Hello,
>
> I posted this question about a week ago, received an answer with an
> includeds script and I have just spent nearly two hours searching to find
> that post and I cant!!
>
> We have about 500 win2k client machines in our environment, we add a
> domain administrator account to the local admin group of our win2k clients
> to permit vulnerability scanning, patch management, etc. About 250 of our
> machines do not have this account added. I know there is a script that
> you can apply to the computer accounts in the run scripts at logon gpo
> that will apply a domain admin user to the local admin group of all
> win2k/xp clients that the policy applies to.
>
> Could someone please post that script. It was an MVP last time, I dont
> remember who it was, or what darn name i posted under or what i called the
> topic, or what section i posted under so I cant find that post now :-(
>
> Many thanks!!
Anonymous
May 7, 2004 2:48:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

if going this route removes the existing administrators minus the inidividuals specifically mentioned in the restircted groups policy this will not work in my situation. Every user of the local computer is made a member of the that machines administrator group so they have full control over there own system, this is done because many users have laptops and travel, making it impossible for the IT staff do everything on there behalf, such as install crticial updates, new print drivers at different office locations, modify there tcpip propertieis etc. yes power users group would allow this, but we cant change 500 systems now.

ANy other suggestions?
Related resources
Anonymous
May 7, 2004 11:12:17 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

You can use ADSI to add your account to the local admin group. Here is a
sample to get you going:

Dim oAdminGroup
Dim oWshNetwork
Dim sDomain
Dim sAdminAccount

Set oWshNetwork=CreateObject("WScript.network")
sDomain="My Domain Name"
sComputer=oWshNetwork.ComputerName
sAdminAccount=sDomain & "\" & "The Administrator Account to Add"

Set oAdminGroup=GetObject("WinNT://" & sComputer & "/Administrators")

If oAdminGroup.ismember("WinNT://" & sAdminAccount)=FALSE Then

oAdmingroup.add("WinNT://" & sadminaccount)
oAdminGroup.setinfo
End If

Tune this script for your environment, then save with .VBS extension and
apply with GPO

Good luck

Niclas Lindblom

"a_user" <anonymous@discussions.microsoft.com> wrote in message
news:7BF0CA50-7FB0-4BB3-BF4A-9CDB10820FDD@microsoft.com...
> if going this route removes the existing administrators minus the
> inidividuals specifically mentioned in the restircted groups policy this
> will not work in my situation. Every user of the local computer is made a
> member of the that machines administrator group so they have full control
> over there own system, this is done because many users have laptops and
> travel, making it impossible for the IT staff do everything on there
> behalf, such as install crticial updates, new print drivers at different
> office locations, modify there tcpip propertieis etc. yes power users
> group would allow this, but we cant change 500 systems now.
>
> ANy other suggestions?
Anonymous
May 7, 2004 11:12:18 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

thanks
Anonymous
May 8, 2004 5:39:49 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Here's what I do. I configure a GPO for the OU containing my workstations.
I set a computer startup script (so it runs in the context of the machine)
and run the following command:

net localgroup administrators domain\group /add

In the dialogue box, I have "net" as the command and the remainder as the
parameters.

Hope this helps

Oli




"mark" <mark.mckeon@rcc.edu> wrote in message
news:a0b501c43479$51563d70$a001280a@phx.gbl...
> is there a simple way to have win2k and winxp machines
> automatically add an additional domain group to the local
> administrators group when loggin in? i want to keep the
> existing domain group in-tact on the local machine and
> just add another.


"a_user" <anonymous@discussions.microsoft.com> wrote in message
news:7BF0CA50-7FB0-4BB3-BF4A-9CDB10820FDD@microsoft.com...
> if going this route removes the existing administrators minus the
> inidividuals specifically mentioned in the restircted groups policy this
> will not work in my situation. Every user of the local computer is made a
> member of the that machines administrator group so they have full control
> over there own system, this is done because many users have laptops and
> travel, making it impossible for the IT staff do everything on there
> behalf, such as install crticial updates, new print drivers at different
> office locations, modify there tcpip propertieis etc. yes power users
> group would allow this, but we cant change 500 systems now.
>
> ANy other suggestions?
!