Sign in with
Sign up | Sign in
Your question

About Restricted Groups

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
June 15, 2005 7:03:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

I want to add a user named 'NewAdmin' into workstation's Administrators
groups (Local Group) in about 50 workstations. How is it possible?
--
I like Microsoft Newsgroups, Which provides to help me.

Thanks to Microsoft

More about : restricted groups

Anonymous
a b 8 Security
June 16, 2005 12:37:09 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

If these 50 computers are members of domain then you can run a Startup Scrip
on OU where computer accounts are in. You can use this script:

net localgroup "Administrators" "domain\NewAdmin" /add

I hope this helps,

--
Mike
Microsoft MVP - Windows Security

"Asif Razzaq Attari" <AsifRazzaqAttari@discussions.microsoft.com> wrote in
message news:7A17BB11-DDF2-47DA-A7DF-70C114A3F819@microsoft.com...
>I want to add a user named 'NewAdmin' into workstation's Administrators
> groups (Local Group) in about 50 workstations. How is it possible?
> --
> I like Microsoft Newsgroups, Which provides to help me.
>
> Thanks to Microsoft
Anonymous
a b 8 Security
June 16, 2005 12:17:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Aside from the startup script option, which is a good alternative
(but it runs at each startup when one time would be sufficient for
an initial membership addition) one may also use a restricted
group definition, as you subject implies, if set in a GPO linked
to an OU that has those machines in its scope. Be aware that a
restricted group definition must state the complete and total
membership of the group being restricted, and, if use is made
of the member-of part (in addition to the members-in part) then
that must also state the complete and total memberships for
the group being restricted. In your case, you would need to
name the new domain account, the unadorned Administrator
account (the machine local one on each affected machine),
the Domain Admins group, and any other principals that need
to be in each and every impacted machine's local Administrators
group. It is convenient to use the polcy setting to rename the
built-in Administrators group in the same GPO so that you
have assurance that it is renamed the same way on all the
impacted machines.

--
Roger Abell
Microsoft MVP (Windows Security)

"Asif Razzaq Attari" <AsifRazzaqAttari@discussions.microsoft.com> wrote in
message news:7A17BB11-DDF2-47DA-A7DF-70C114A3F819@microsoft.com...
> I want to add a user named 'NewAdmin' into workstation's Administrators
> groups (Local Group) in about 50 workstations. How is it possible?
> --
> I like Microsoft Newsgroups, Which provides to help me.
>
> Thanks to Microsoft
!