Re: Add domain user to local group script troubleshoot

From: Richard Mueller [MVP] (rlmueller-NOSPAM_at_ameritech.NOSPAM.net)
Date: 03/26/04 

Date: Thu, 25 Mar 2004 19:43:13 -0600

mtothej wrote:

> Richard, thanks for the help. The WinNT path to the domain user works
great. Here's the catch; it works great when I'm already a member of the
local admins group. I have admin rights to my OU (we're a branch office),
and thus my Computers OU underneath, but am not a domain admin and so am not
by default in the local admins group of each computer. Is there a script
which would add a user (or group) to the local admins group of all computers
in an OU - I guess this would have to be run via Group Policy and dropped on
the computers as they booted? Otherwise it could be run by a domain admin I
guess. Any ideas? Thx...

Hi,

Actually, if you use Group Policy, the best way is to use a Startup script.
Startup scripts run with System privileges on the local computer (before any
user logs on) and can add members to the local Administrators group. Best
practice would be to add a domain group to the local Administrators group on
every PC. This way, membership can be easily modified in the future without
touching the machines again. Group Policy can be applied to the OU.

One other consideration is that it is cleaner to add the group once, and not
attempt to repeat the process. In the past I have used code similar to
below, which only adds the domain group to the local group if it is not
already a member:

' Specify AdsPath of domain group to be added to
' local Administrators group.
strDomainGroup = "WinNT://MyDomain/ComputerAdmins,group"

' Bind to domain group.
Set objDomainGroup = GetObject(strDomainGroup)

' Retrieve local computer NetBIOS name.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

' Bind to local Administrators group.
Set objLocalGroup = GetObject("WinNT://" & strComputer _
  & "/Administrators,group")

' Check if domain group already a member.
If Not objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
  ' Add domain group to local group.
  objLocalGroup.Add(objDomainGroup.AdsPath)
End If 

-- 
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--

Relevant Pages

  • Re: Giving Accounts Local Computer Admin Privledge
    ... You can modify local group memberships in a startup script. ... then make the domain group a member of the local Administrators group. ... ' Check if domain group already a member. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Remote Desktop rights to Member Servers via GPO
    ... of this group and adds your domain group via the net localgroup /add ... My understanding of Restricted groups is that the GPO will ... SP4 or better Active Directory Domain + Member servers, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Policy to allow TS access to servers
    ... add the domain group with the user accounts as members to the Remote Desktop Users group on the Terminal Server. ... the will get whatever rights and permissions on the Terminal Server that being a member of another local group (e.g. ...
    (microsoft.public.windows.group_policy)
  • Re: Domain Users into Local Admins
    ... Bruce Sanderson MVP Printing ... It is perfectly useless to know the right answer to the wrong question. ... > I'm trying to add a domain group, containing our mobile users, into the ... > local admins group. ...
    (microsoft.public.windows.server.security)
  • Domain Users into Local Admins
    ... I'm trying to add a domain group, containing our mobile users, into the ... local admins group. ... I'm using the Restricted Groups feature of group policy ...
    (microsoft.public.windows.server.security)