Re: localgroup administrators

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

---

• From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
• Date: Fri, 27 Apr 2007 22:35:15 -0700

---

You probably need to use a little script that runs from the startup script,
which inquires the membership of the local Administrators group and
removes anything that is not a group and is from the domain (i.e. remove
all domain user accounts but none of the domain groups nor any or the
machine local accounts).

I do not understand what you are trying to do, as %username% only
has a value in the login session of the %username% account, but you
said you are running this from a machine startup script, not a user
login script. In practice, you could however do this from login script
since the account would be removing itself from Administrators (and
this would of course only succees the first time).


"Yvonne" <Yvonne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E306F894-03D6-48C8-9156-3C1A4D12AD96@xxxxxxxxxxxxxxxx

I have tested both xp and 2000 workstations using %username% for a logon -
user configuration, and computer config in a startup. The 2000 computers
do
not workwith these policies so far. All workstations have multiple domain
users in the administrators group. Some servers are 2000 and some are
2003.

"Roger Abell [MVP]" wrote:

"Yvonne" <Yvonne@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9E361D06-C8E1-410E-92CE-EEC9C5BE98C3@xxxxxxxxxxxxxxxx

I need to set a group policy to remove domain users and only add domain
admins to local group administrators on workstations. Mixed xp and 2000
environment. W2k3 server. I am trying to use net localgroup
administrators
/add and /delete.
Using a startup script with only test computers having read access.
What
variable can I use for the domain users, and will this work? Is there a
script for this?

When you say "domain users" are you meaning specific domain
user accounts, or the group Domain Users?
Is it just the syntax for
net localgroup Administrators "domain\Domain Users" /delete
that you are after ?

.

---

• References:
  • Re: localgroup administrators
    • From: Roger Abell [MVP]

• Prev by Date: Re: GPO with Password
• Next by Date: Re: Script Local Policy Change
• Previous by thread: Re: localgroup administrators
• Next by thread: Re: localgroup administrators
• Index(es):
  • Date
  • Thread

---

Relevant Pages Computer admionistrator ... You can create a GPO with a computer starup script to add ... This script would add the "Domain Users" group from ... Domain "Domain" to the local workstations administrators ... (microsoft.public.win2000.active_directory) Re: Restricted group ... Startup script would work well. ... user will be added to the administrators group for the domain. ... > This cannot be done with existing Group Policy extensions. ... (microsoft.public.win2000.group_policy) Re: Login Script ... You are making ALL users essentially admins of every ... Domain Users to Computer: Administratos. ... Have the Startup script for the computer do such installs ... >>>>> administrators' ... (microsoft.public.win2000.active_directory) RE: Administrators for work station ... What we did in NT was create a Domain Global group call "Local Admins". ... If you are interested in this script, ... Here is the startup script I am using in AD: ... > administrators, but should not access the server like a Domain ... (microsoft.public.windows.server.general) RE: login script ... Tried this as a startup script under computer configuration and did not get ... Could you access the script folder via UNC path with domain users' ... If you configure the script as a user "Logon Script" in GPO, ... (microsoft.public.windows.terminal_services)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.group_policy  > 2007-04