Add domain Admin account to all Win2k Clients local admin ..

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hello,

I posted this question about a week ago, received an answer with an includeds script and I have just spent nearly two hours searching to find that post and I cant!!

We have about 500 win2k client machines in our environment, we add a domain administrator account to the local admin group of our win2k clients to permit vulnerability scanning, patch management, etc. About 250 of our machines do not have this account added. I know there is a script that you can apply to the computer accounts in the run scripts at logon gpo that will apply a domain admin user to the local admin group of all win2k/xp clients that the policy applies to.

Could someone please post that script. It was an MVP last time, I dont remember who it was, or what darn name i posted under or what i called the topic, or what section i posted under so I cant find that post now :-(

Many thanks!!
5 answers Last reply
More about domain admin account win2k clients local admin
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    If you are using Active Directory, add "Administrators" to the list of
    Restricted Groups within Group Policy, then add Domain Admins as the
    allowable member of the Administrators group. The local group will be
    updated to reflect this change the next time that Group Policies are
    refreshed.

    Caveat - this will remove anyone other than Domain Admins from the local
    Administrators group, so you may need to customize the group membership
    based on your specific configuration.

    --
    ******************************
    Laura E. Hunter - MCSE, MCT, MVP
    Replies to newsgroup only


    "a_user" <anonymous@discussions.microsoft.com> wrote in message
    news:7ECAD43B-3403-44D7-A04D-073EC8E7F85B@microsoft.com...
    > Hello,
    >
    > I posted this question about a week ago, received an answer with an
    > includeds script and I have just spent nearly two hours searching to find
    > that post and I cant!!
    >
    > We have about 500 win2k client machines in our environment, we add a
    > domain administrator account to the local admin group of our win2k clients
    > to permit vulnerability scanning, patch management, etc. About 250 of our
    > machines do not have this account added. I know there is a script that
    > you can apply to the computer accounts in the run scripts at logon gpo
    > that will apply a domain admin user to the local admin group of all
    > win2k/xp clients that the policy applies to.
    >
    > Could someone please post that script. It was an MVP last time, I dont
    > remember who it was, or what darn name i posted under or what i called the
    > topic, or what section i posted under so I cant find that post now :-(
    >
    > Many thanks!!
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    if going this route removes the existing administrators minus the inidividuals specifically mentioned in the restircted groups policy this will not work in my situation. Every user of the local computer is made a member of the that machines administrator group so they have full control over there own system, this is done because many users have laptops and travel, making it impossible for the IT staff do everything on there behalf, such as install crticial updates, new print drivers at different office locations, modify there tcpip propertieis etc. yes power users group would allow this, but we cant change 500 systems now.

    ANy other suggestions?
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    You can use ADSI to add your account to the local admin group. Here is a
    sample to get you going:

    Dim oAdminGroup
    Dim oWshNetwork
    Dim sDomain
    Dim sAdminAccount

    Set oWshNetwork=CreateObject("WScript.network")
    sDomain="My Domain Name"
    sComputer=oWshNetwork.ComputerName
    sAdminAccount=sDomain & "\" & "The Administrator Account to Add"

    Set oAdminGroup=GetObject("WinNT://" & sComputer & "/Administrators")

    If oAdminGroup.ismember("WinNT://" & sAdminAccount)=FALSE Then

    oAdmingroup.add("WinNT://" & sadminaccount)
    oAdminGroup.setinfo
    End If

    Tune this script for your environment, then save with .VBS extension and
    apply with GPO

    Good luck

    Niclas Lindblom

    "a_user" <anonymous@discussions.microsoft.com> wrote in message
    news:7BF0CA50-7FB0-4BB3-BF4A-9CDB10820FDD@microsoft.com...
    > if going this route removes the existing administrators minus the
    > inidividuals specifically mentioned in the restircted groups policy this
    > will not work in my situation. Every user of the local computer is made a
    > member of the that machines administrator group so they have full control
    > over there own system, this is done because many users have laptops and
    > travel, making it impossible for the IT staff do everything on there
    > behalf, such as install crticial updates, new print drivers at different
    > office locations, modify there tcpip propertieis etc. yes power users
    > group would allow this, but we cant change 500 systems now.
    >
    > ANy other suggestions?
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    thanks
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Here's what I do. I configure a GPO for the OU containing my workstations.
    I set a computer startup script (so it runs in the context of the machine)
    and run the following command:

    net localgroup administrators domain\group /add

    In the dialogue box, I have "net" as the command and the remainder as the
    parameters.

    Hope this helps

    Oli


    "mark" <mark.mckeon@rcc.edu> wrote in message
    news:a0b501c43479$51563d70$a001280a@phx.gbl...
    > is there a simple way to have win2k and winxp machines
    > automatically add an additional domain group to the local
    > administrators group when loggin in? i want to keep the
    > existing domain group in-tact on the local machine and
    > just add another.


    "a_user" <anonymous@discussions.microsoft.com> wrote in message
    news:7BF0CA50-7FB0-4BB3-BF4A-9CDB10820FDD@microsoft.com...
    > if going this route removes the existing administrators minus the
    > inidividuals specifically mentioned in the restircted groups policy this
    > will not work in my situation. Every user of the local computer is made a
    > member of the that machines administrator group so they have full control
    > over there own system, this is done because many users have laptops and
    > travel, making it impossible for the IT staff do everything on there
    > behalf, such as install crticial updates, new print drivers at different
    > office locations, modify there tcpip propertieis etc. yes power users
    > group would allow this, but we cant change 500 systems now.
    >
    > ANy other suggestions?
Ask a new question

Read More

Domain Windows