Re: Group Policy

---

• From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 4 Jun 2009 12:01:19 -0500

---

"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eEhHHOT5JHA.4404@xxxxxxxxxxxxxxxxxxxxxxx

Kerry <Phanindra@xxxxxxxx> wrote:

We have a requirement where certain group needs to be added into
administrators group of all computers in the domain. Tried using the
restricted groups, however this GP setting will remove all the users
and groups which are pre-exisiting in the local Administrators group
on all computers. This can be really fatal, as we might have special
business application requirements where there will be some domain or
local users/groups that have been already added to the local
administrators group, which will be removed by setting this policy.
If we decide to identify the list of users/groups that are present
today in the administrators group on computers and include that in
the restricted GP, it will give admin previlges for everyone in that
group which is not the objective.

I want to achieve the below:
The Domain User of the PC to be only added to his local
administrators group, along with another Domain Group. Can this be
done?? We are using Windows Server 2003?

Regards

I'm confused by your post. Which is it you want to add? A "Certain group"
or each domain user? Go with the former - if absolutely necessary. I would
never want to grant local admin rights to end users as a matter of course.
Only actual IT folk should have admin rights (and really, not even using
their 'daily driver' accounts). I promise you that you can make your
software work without this - it can be tedious, but it is entirely doable.
And it will vastly improve security, reliability & consistency on your
workstations, as well as minimizing support costs for desktops.

All that aside: to add a domain group to the local administrators group
without using restricted groups, you could use a startup script...e.g.,

net localgroup administrators DOMAIN\groupname /add
or if there's a space....
net localgroup administrators "DOMAIN\group name" /add

It can also be done remotely with a VBScript program. For example:
========
' Bind to group object (to be added to local Administrators group.
Set objDomainGroup = GetObject("WinNT://MyDomain/NewGroup,group")

' Specify NetBIOS name of remote computer.
strComputer = "MyComputer"

' Bind to local Administrators group on remote computer.
' Trap error if computer not available.
On Error Resume Next
Set objLocalAdmGroup = GetObject("WinNT://" & strComputer &
"/Administrators,group")
If (Err.Number = 0) Then
On Error GoTo 0
' Check if domain group already a member.
If (objLocalAdmGroup.IsMember(objDomainGroup.ADsPath) = False) Then
' Add the domain group to the local Administrators group.
objLocalAdmGroup.Add(objDomainGroup.ADsPath)
End If
Else
On Error GoTo 0
Wscript.Echo "Computer " & strComputer & " not available"
End If
======
You could also code a script to loop through several computer names to do
this in bulk. You could read the NetBIOS names of the computers from a text
file, using the FileSystemObject. Or, you could use ADO in a VBScript
program to retrieve all computer names in the domain. Here is a link to a
similar program that resets the local Administrator password for all
computers in the domain:

http://www.rlmueller.net/Reset_Local_Admin_Passwords.htm

This program reads a text file of "missing" computers and operates on these.
If there is no text file, it program creates a list of all computers in the
domain (as long as the Operating System caption does not include the string
"server"). If the program cannot contact a computer, the name is written to
a new "missing" computer text file. This program could be modified to add
the specified domain group to the local Administrators group, instead of
resetting the password for the local Administrator user.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


.

---

• References:
  • Group Policy
    • From: Kerry
  • Re: Group Policy
    • From: Lanwench [MVP - Exchange]

• Prev by Date: Re: How to auto copy files when login to windows server 2003 ?
• Next by Date: Re: 1 of 2 domain controllers down and users cannot login to the d
• Previous by thread: Re: Group Policy
• Next by thread: Re: Group Policy
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: restricted groups for local admin rights ... > user to the local administrators group on that computer. ... >> First off be sure to use Restricted Groups at the Organizational Unit ... >>> I have read several articles on how to do it but it is confusing to me. ... (microsoft.public.windows.group_policy) Re: Local Admin access through Active Directory ... You can add the user to the local administrators group on the computers that ... administrators group. ... without adding them to the Domain Admins group? ... (microsoft.public.security) adding a global group to the local administrators through a group policy ... The computers that apply are Windows 2000 with service ... existing members from the group. ... group will be in the Administrators group on each 2K, XP, ... >local administrators group (just add the group to the ... (microsoft.public.win2000.group_policy) Re: Re: Change group membership ... It puts these users in a global group which is added to the local Administrators group on the workstations. ... >and you see the administrators group listed in the Restricted Groups window. ... >> Jerold Schulman ... (microsoft.public.win2000.active_directory) Re: Help needed setting up roaming administrator ... Another option is a "startup" script implemented via Group Policy to ... computers within the scope of influence of the policy such as the Organizational Unit ... Administrators group use. ... > default users and groups in the local Administrators group. ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)