Re: Add domain Admin account to all Win2k Clients local admin account.

From: Laura E. Hunter \(MVP\) (hunter(nospamplease)_at_sfs.upenn.edu)
Date: 05/07/04 

Date: Fri, 7 May 2004 10:48:01 -0400

If you are using Active Directory, add "Administrators" to the list of
Restricted Groups within Group Policy, then add Domain Admins as the
allowable member of the Administrators group. The local group will be
updated to reflect this change the next time that Group Policies are
refreshed.

Caveat - this will remove anyone other than Domain Admins from the local
Administrators group, so you may need to customize the group membership
based on your specific configuration. 

-- 
******************************
Laura E. Hunter - MCSE, MCT, MVP
Replies to newsgroup only
"a_user" <anonymous@discussions.microsoft.com> wrote in message 
news:7ECAD43B-3403-44D7-A04D-073EC8E7F85B@microsoft.com...
> Hello,
>
> I posted this question about a week ago, received an answer with an 
> includeds script and I have just spent nearly two hours searching to find 
> that post and I cant!!
>
> We have about 500 win2k client machines in our environment, we add a 
> domain administrator account to the local admin group of our win2k clients 
> to permit vulnerability scanning, patch management, etc.  About 250 of our 
> machines do not have this account added.  I know there is a script that 
> you can apply to the computer accounts in the run scripts at logon gpo 
> that will apply a domain admin user to the local admin group of all 
> win2k/xp clients that the policy applies to.
>
> Could someone please post that script.  It was an MVP last time, I dont 
> remember who it was, or what darn name i posted under or what i called the 
> topic, or what section i posted under so I cant find that post now :-(
>
> Many thanks!!

Relevant Pages

  • Re: script to list users and groups in domain admin and local admi
    ... >> Domain admins membership can be determined easily enough in Active ... >> using the net command and such to enumerate local administrators. ... If you want to use Restricted Groups ... >>>I am looking for a script or guidance to write a script that will list ...
    (microsoft.public.win2000.security)
  • RE: software to control domain administrators
    ... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
    (Security-Basics)
  • Re: Settle a Administrators dispute
    ... Administrators Local Group on the DC but not in the Domain Admins ... Global Group, the users of the Global Group do not have the same ... restricted groups policy. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local admin group?
    ... No don't remove the domain admins group from the administrators group for ... Create a global group of users to add the local administrators ... > for the purpose of updates but I don't want them to have admin rights on ...
    (microsoft.public.win2000.security)
  • Re: AD Design
    ... Within a new domain the domain admins can administer the complete domain, ... If you add them to the Enterprise admins, they are able to administer the complete forest. ... By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. ...
    (microsoft.public.windows.server.active_directory)