Re: Adding local users from domain as local PC admin(?)

From: "Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx>
Date: Thu, 23 Feb 2006 12:46:09 -0000

For a one off operation, COMPMGMT.MSC or a script should be used. For
global changes, restricted groups can be used but tends to do more harm than
good. Remember, restricted groups is designed to enforce group memberships.
Personally, I find a script (startup or run as an admin) the best way of
doing this as you can log this information and create a rollback mechanism.
Another way, of which I have only just learnt, is CUSRMGR.EXE.

You must also consider what you are doing and why. For specific users, this
is tedious and wrong. REGMON, FILEMON, and the Application Compatibility
Toolkit are what is needed in this scenario.

I've seen too many problems caused by widespread use of restricted groups.
It is a great feature, but if you have customised local groups on an ad-hoc
computer basis, it causes all manner of problems (followed by grief).

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

.

Follow-Ups:
- Re: Adding local users from domain as local PC admin(?)
  - From: Cary Shultz
- Re: Adding local users from domain as local PC admin(?)
  - From: Cary Shultz

References:
- Adding local users from domain as local PC admin(?)
  - From: nilo
- Re: Adding local users from domain as local PC admin(?)
  - From: Cary Shultz

Prev by Date: Re: Problem with assigned apllication!!!
Next by Date: Re: Problem with assigned apllication!!!
Previous by thread: Re: Adding local users from domain as local PC admin(?)
Next by thread: Re: Adding local users from domain as local PC admin(?)
Index(es):
- Date
- Thread

Relevant Pages

Re: Add a domain user group to local computer administrator group
... I searched in the group policy for those Restricted groups, ... >> I used a script like the one you gaves, but the script didn't work on ... >>> ' Bind to domain user CNProgramming ...
(microsoft.public.windows.server.scripting)
Re: Adding local users from domain as local PC admin(?)
... the script or Computer Management is a good way to do it. ... 'local group in question' and replace it with 'your group of choice'. ... it is worth) and you do need to make sure that the correct patch is applied ... I also agree that if Restricted Groups is used too much that it is a bad ...
(microsoft.public.windows.server.active_directory)
Re: Help with my WMI
... You could use the "Restricted Groups" policy to add members to a "Restricted ... > I would like my script to Add a specified group to the pc's Local Admin ...
(microsoft.public.win2000.group_policy)
Re: script to list users and groups in domain admin and local admi
... >> Domain admins membership can be determined easily enough in Active ... >> using the net command and such to enumerate local administrators. ... If you want to use Restricted Groups ... >>>I am looking for a script or guidance to write a script that will list ...
(microsoft.public.win2000.security)
Re: Re: problem with giving domain users local admim rights
... The startup script could ... > group of domain computers using the "net localgroup" command. ... > however be a startup script which will then run in system context. ... > works well in situations where you do not want to use restricted groups ...
(microsoft.public.win2000.group_policy)