Add Domain Group to Local Admin Group

Archived from groups: microsoft.public.win2000.group_policy (More info?)

is there a simple way to have win2k and winxp machines
automatically add an additional domain group to the local
administrators group when loggin in? i want to keep the
existing domain group in-tact on the local machine and
just add another.
4 answers Last reply
More about domain group local admin group
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    As you hint at, the Restricted Groups feature of Group Policy replaces the
    existing group membership.

    Here's what I do. I configure a GPO for the OU containing my workstations.
    I set a computer startup script (so it runs in the context of the machine)
    and run the following command:

    net localgroup administrators domain\group /add

    In the dialogue box, I have "net" as the command and the remainder as the
    parameters.

    Hope this helps

    Oli


    "mark" <mark.mckeon@rcc.edu> wrote in message
    news:a0b501c43479$51563d70$a001280a@phx.gbl...
    > is there a simple way to have win2k and winxp machines
    > automatically add an additional domain group to the local
    > administrators group when loggin in? i want to keep the
    > existing domain group in-tact on the local machine and
    > just add another.
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    We currently have a machine login script that actually runs (yes, we
    fought long and hard to get it to do so). Unfortunately, our newly
    upgraded domain tree is still flat with the servers in the same
    container as the workstations. We have a group we wish to add to the
    local administrator group of the workstations only. If we apply the
    script to users we run into a similar problem as Domain Administrator
    and other server-specific domain users are also in the same container as
    all the other users.

    I've been looking at combining the "net localgroup" concept with
    IfMember. does IfMember work with computer accounts or just user
    accounts???

    If with computer accounts:

    ifmember workstations
    if not errorlevel 1 exit
    net localgroup administrators domain\group /add

    If only with user accounts:

    ifmember mortalUsers
    if not errorlevel 1 exit
    net localgroup administrators domain\group /add


    Oli Restorick [MVP] wrote:
    > As you hint at, the Restricted Groups feature of Group Policy replaces the
    > existing group membership.
    >
    > Here's what I do. I configure a GPO for the OU containing my workstations.
    > I set a computer startup script (so it runs in the context of the machine)
    > and run the following command:
    >
    > net localgroup administrators domain\group /add
    >
    > In the dialogue box, I have "net" as the command and the remainder as the
    > parameters.
    >
    > Hope this helps
    >
    > Oli
    >
    >
    >
    >
    > "mark" <mark.mckeon@rcc.edu> wrote in message
    > news:a0b501c43479$51563d70$a001280a@phx.gbl...
    >
    >>is there a simple way to have win2k and winxp machines
    >>automatically add an additional domain group to the local
    >>administrators group when loggin in? i want to keep the
    >>existing domain group in-tact on the local machine and
    >>just add another.
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Laura <user@example.net> wrote in message news:<#2SS1cFQEHA.3220@TK2MSFTNGP09.phx.gbl>...

    > We have a group we wish to add to the
    > local administrator group of the workstations only. If we apply the
    > script to users we run into a similar problem as Domain Administrator
    > and other server-specific domain users are also in the same container as
    > all the other users.

    You can put global groups in the local administrators with
    the "restricted groups" Group Policy setting. To block this
    setting from applying to servers, put your servers in a "servers"
    group and remove/deny read and/or apply access to the GPO.

    Here is the GPO path:
    Computer Configuration\Windows Settings\Security Settings\Restricted Groups

    the following link contains detailed instructions:

    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q320065

    I would reccomend this over trying to do this from a logon script.
    If you are going to do this via script, it should be a _startup_ script
    And even then, "restricted groups" Group Policy setting is the better way
    to go.

    --
    Matt Hickman
    ..are we buying a spaceship, or are we getting to supper on
    time?
    - Robert A. Heinlein's _The Rolling Stones_
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi Laura

    You can do this very easily with GPO. If you right-click the GPO, you'll
    find that you can change the security options for the GPO. Remove the
    default apply option for "authenticated users" and add the specific security
    group(s) you want. This is known as filtering.

    I'd recommend you move your servers to one OU and your workstations to
    another for ease of management.

    Also, you should be aware that if you log in to any of these workstations
    using a domain administrator account, those you have given administrative
    access to the machine could become domain administrators with a bit of
    scripting. It depends on your environment as to whether you see this as a
    threat.

    Hope this helps

    Oli


    "Laura" <user@example.net> wrote in message
    news:%232SS1cFQEHA.3220@TK2MSFTNGP09.phx.gbl...
    > We currently have a machine login script that actually runs (yes, we
    > fought long and hard to get it to do so). Unfortunately, our newly
    > upgraded domain tree is still flat with the servers in the same container
    > as the workstations. We have a group we wish to add to the local
    > administrator group of the workstations only. If we apply the script to
    > users we run into a similar problem as Domain Administrator and other
    > server-specific domain users are also in the same container as all the
    > other users.
    >
    > I've been looking at combining the "net localgroup" concept with
    > IfMember. does IfMember work with computer accounts or just user
    > accounts???
    >
    > If with computer accounts:
    >
    > ifmember workstations
    > if not errorlevel 1 exit
    > net localgroup administrators domain\group /add
    >
    > If only with user accounts:
    >
    > ifmember mortalUsers
    > if not errorlevel 1 exit
    > net localgroup administrators domain\group /add
    >
    >
    > Oli Restorick [MVP] wrote:
    >> As you hint at, the Restricted Groups feature of Group Policy replaces
    >> the existing group membership.
    >>
    >> Here's what I do. I configure a GPO for the OU containing my
    >> workstations. I set a computer startup script (so it runs in the context
    >> of the machine) and run the following command:
    >>
    >> net localgroup administrators domain\group /add
    >>
    >> In the dialogue box, I have "net" as the command and the remainder as the
    >> parameters.
    >>
    >> Hope this helps
    >>
    >> Oli
    >>
    >>
    >>
    >>
    >> "mark" <mark.mckeon@rcc.edu> wrote in message
    >> news:a0b501c43479$51563d70$a001280a@phx.gbl...
    >>
    >>>is there a simple way to have win2k and winxp machines
    >>>automatically add an additional domain group to the local
    >>>administrators group when loggin in? i want to keep the
    >>>existing domain group in-tact on the local machine and
    >>>just add another.
    >>
    >>
    >>
    >
Ask a new question

Read More

Policy Domain Microsoft Windows