Re: Adding Domain Admins to local computer administrator groups

From: Freddy Hartono (freddy_hartono_at_nonospam.non.agilent.com)
Date: 05/05/04 

Date: Tue, 4 May 2004 21:21:34 -0700

Create a machine startup GPO (machine startup will be run
as SYSTEM context)

create a .bat file put into the correct folder
net localgroup administrators domain\username /add

Or if you want to get fancy (slower i believe) run this
http://support.microsoft.com/default.aspx?scid=kb;en-
us;555026

>-----Original Message-----
>Chris wrote:
>
>> I am trying to add a new domains Domain Admin group
into the local
>adminstrators group on all the workstations in another
domain, can this be
>done via a script and if so can I get a copy of the
script please.
>
>Hi,
>
>I have used a script similar to below for this purpose:
>
>' Specify AdsPath of domain group to be added to
>' local Administrators group.
>strDomainGroup = "WinNT://MyDomain/NewGroup,group"
>
>Set objDomainGroup = GetObject(strDomainGroup)
>Wscript.Echo objDomainGroup.AdsPath
>
>' Retrieve local computer NetBIOS name.
>Set objNetwork = CreateObject("Wscript.Network")
>strComputer = objNetwork.ComputerName
>
>' Bind to local Administrators group.
>Set objLocalGroup = GetObject("WinNT://" & strComputer _
> & "/Administrators,group")
>
>' Check if domain group already a member.
>If Not objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
> ' Add domain group to local group.
>' objLocalGroup.Add(objDomainGroup.AdsPath)
> Wscript.Echo "Not Member, add"
>Else
> Wscript.Echo "Already member"
>End If
>
>Note that users generally do not have sufficient
permissions to add members
>to the local administrators group, so this cannot be done
in a logon script.
>Assuming all client are W2k or above, you can do this in
a Startup script,
>using Group Policy. Startup scriptss run with System
privileges on the local
>machine and can add members to this group. However, I
have never added a
>group from one domain to a local group on a computer in
another domain.
>Success probably depends on the trust relationship, or
you may have to
>supply credentials (which is a security concern).
>
>--
>Richard
>Microsoft MVP Scripting and ADSI
>HilltopLab web site - http://www.rlmueller.net
>--
>
>
>.
>

Relevant Pages

  • Re: need to modify local group membership via VBscript
    ... A logon script runs with the credentials of the user, ... ' Bind to local Administrators group on remote computer. ... Wscript.Echo "Domain Admins already in Administrators on " & strComputer ...
    (microsoft.public.windows.server.scripting)
  • Finding multiple memgers of a group
    ... I am working on a script that will determin if three different ID's ... are in the local Administrators group on a long list of servers. ... Dim objGroup, strComputer, objFSO, objTextFile ... Wscript.Echo "Members of local Administrators group on computer " & ...
    (microsoft.public.scripting.vbscript)
  • Re: How to make a AD group member of the local administrators grou
    ... How can we use the script for multiple computers. ... user account to 100 computers local admin group ... ' Check if group already a member. ... group is still a member of the local Administrators group). ...
    (microsoft.public.windows.server.scripting)
  • Re: Windows XP/2000: Working without administrator rights
    ... > We have recently taken all users out of the Local Administrators group ... remote script run by a domain account that is admin on the target ... machine or when local runas or via GPO ...
    (microsoft.public.security)
  • Re: need to modify local group membership via VBscript
    ... domain admin credentials in the script, then run the script through the ... script would have to use alternate credentials or a third part RunAs tool. ... ' Bind to local Administrators group on remote computer. ...
    (microsoft.public.windows.server.scripting)
Loading