Re: Want to add users to their local Admin group

From: Marin Marinov (mlmarinov_at_askme.ca)
Date: 04/21/04 

Date: Wed, 21 Apr 2004 14:21:39 -0400

In article <OGUa4T5JEHA.620@tk2msftngp13.phx.gbl>,
d__k@removethispart.mail.ru says...
> Quote from Jason's:
>
> "I can go around to
> each PC, and manually add them to the Admin group, but that will be very
> time consuming, not to mention annoying."
>
> Above assumes adding user to Administrators group on more than one PC.
> Restricted Groups with GPO are the way to do this. Maybe it's me who gets
> the question wrong, but since there is a problem with performing this
> operation on more than on PC, I think we should use GPO here. Otherwise we
> could just manually add user to Administrators on a single given PC without
> even usinc scripts and such.
Sure we won't make Jason go to each PC and add users manually ;) And my
suggestion was using a script that *connects* consecutively to each
machine and adds a user in this machine's Administrators. Another
alternative I'd also go for is remote execution - Psexec.exe from
Sysinternals, a simple text file in the format <MachineName>,<UserName>,
and execute net user /add in a FOR loop. Again, no tampering with the
specific machine.

On the other hand, Restricted groups would be great if we could
configure them for use in this specific situation - just this time they
don't have the flexibility to accomplish the goal. For example, we have
PC-1 with user Joe, PC-2 with user Mary, and PC-3 with user Peter. All
these PCs are in the same OU, we create and link a GPO and we come to
the point where we should configure the Restricted Groups. And here's
where I cannot think of a way to do this via the interface - how will I
tell that Joe should go to PC-1\Administrators, Mary to PC-2
\Administrators, and Peter to PC-3\Administrators? Feel free to bash me
on the head with a resolution, I couldn't find one and, of course, I
might be missing something ;) 

-- 
Cheers,
   Marin Marinov
   MCT,MCSE 2003,MCSE:Security 2003
-
This posting is provided "AS IS" with no warranties, and confers no 
rights.

Relevant Pages

  • Re: Problem with Group script..
    ... Administrators to the GPO under restricted Groups. ... > Hello Peter ...
    (microsoft.public.windows.server.scripting)
  • Re: Restricted Groups not taking effect right away
    ... in the GPO restricted group: ... I created a GPO that adds the "NL7Pilot" group as a member of the Local ... Administrators group through Restricted Groups, ...
    (microsoft.public.win2000.group_policy)
  • Re: Rights to local machine
    ... Inside of GPOs there is Restricted Groups node. ... If in a GPO linked to an OU containing the machines ... should be in the Administrators group on impacted ...
    (microsoft.public.windows.group_policy)
  • Re: Help needed setting up roaming administrator
    ... >Administrators group (just type in Administrators, don't browse for it, ... >add your Roaming Local Admins group to the Members of this group section ... GPO associated with the OU that contains the computers I want to use ... restricted group and to define the groups the restricted group will ...
    (microsoft.public.win2000.security)
  • Re: Restricted group functionality
    ... GPO that affects the computer side of things you would have to make sure ... that the computer account objectin question are located in an OU (well, ... we are targeting the administrator group. ... making use of the Restricted Groups can be a bit more difficult than ...
    (microsoft.public.windows.group_policy)