Adding AD group to all client machines 1

[Auger282]

By default when a workstation joins the domain the "domain admins" AD group is added to the local machines Administrators group.

In our case we are not the "domain admins" we are local site admins and have our own group on the AD to specify the members of our local group.

We need to do 2 things... add our domain group to the local admins list and remove the domain admins group from the local admins list...

I'm hoping we can do this via AD, batch, or vb scrpting..
I'm guessing someone has had to do this before..

can you point me in the right direction?

 

[rvnguy]

You should not need to do this as the main AD forest is used for authentication.

So if you are set in the AD as a group, your rights follow you per logon.

This should be controlled via your 'logon script' & this is where you should be setting this.

You should check with the 'domain admins' as to what GPO's there are as these will take precedence.

rvnguy
"I know everything..I just can't remember it all

 

[Auger282]

I'm confused... do I setup a gpo for our computer group that specifies our admin group as the local administrators?

if this is controlled via the gpo.. then what would I need in the login script...

On that note .. could you recommend a good active directory book.. our win server 2003 book isnt cutting it..

thanks!

 

[rvnguy]

do I setup a gpo for our computer group that specifies our admin group as the local administrators

Not presisely..........This is accomplished by creating 'groups'
Normally persons 1 to 5, are made part of the 'everyone group', the xx group, the 'Local admin group' and so on.

This is done by logon name, a general logon will allow those permissions assigned to each group that you are a part of and this is authenticated through the 'Domain AD'.

If this is done at/through the main domain AD then you actually don't have to do anything else. You will belong to the groups that are specified and will have permissions to resources as defined by the 'group'.

This is better for server2000 but does cover many of the changes in server2X3. You should either know JScript or Pearl to use this effectively, but also covers basics within MS Server.

Active Directory Cookbook for Windows Server 2003 and Windows 2000 (Paperback)

http://www.amazon.com/gp/product/0596004648/103-8816351-5712669?v=glance&n=283155

rvnguy
"I know everything..I just can't remember it all

 

[rvnguy]

I am going to try to refer this to the 'Server 2003" forum to markdmac and hopr that he responds to you. He is extremely adept at this.

rvnguy
"I know everything..I just can't remember it all

 

[markdmac]

Hi Guys, I saw the bat signal. ;-)

Easiest way to do this with a script is to use the net localgroup command. You can easily script the adding of the one group and removal of the other. I would however only advise doing the former and not the latter. Domain Admins should always have access to the machine for when the excrement hits the air oscillator.

Here is a script that does the job:

'==========================================================================
'
' NAME: AddUserToLocalAdminGroup.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 8/8/2004
'
' COMMENT: <comment>
'
'==========================================================================
On Error Resume Next

Set WSHShell = CreateObject("WScript.Shell")
Set WSHNetwork = CreateObject("WScript.Network")

'Edit the next line with your domain name
DomainString = "DomainName"
UserString = WSHNetwork.UserName

'Add the user to the local admins group
Call WSHShell.Run("cmd.exe /C net localgroup administrators " & DomainString & "\" & UserString & " /add")

'Remove the user from the local admins group
'Call WSHShell.Run("cmd.exe /C net localgroup administrators " & DomainString & "\" & UserString & " /delete")

Note that in this example I am adding the local user (this was used for login). Change DomainString & "\" & UserString to be DomainString & "\LocalAdminGroupName"

I hope you find this post helpful.

Regards,

Mark

 

[rvnguy]

Thank You Mr. Mark

rvnguy
"I know everything..I just can't remember it all

 

[Auger282]

fantastic!

 

[acl03]

Is there a way to do this remotely (not going to each machine)?



Thanks,
Andrew

 

[Auger282]

you would run the script via login to system.. not per computer

 

[markdmac]

easiest way I can suggest to run this on each machine locally is to download a copy of PSEXEC from the Sysinternals web site. That will allow you to execute the code from a remote station.

Combine PSEXEC with the techniques I outline in my FAQ faq329-4871. All in all about 10 minutes of effort if you read my FAQ and the help info for PSEXEC.

I hope you find this post helpful.

Regards,

Mark

 

[CallwaveEmp]

If your Domain Admins are realy ok with you removing them from the local Admins groups o your computers, then use Group Policy to add your Site Administrators Group to the local Administrators group of each computer. The feature of Group Policy is called "Restricted Groups."

When the policy take affect, or is refreshed, all extra users and groups are removed, and, only those users and groups you specified are added to the local admins group.

Beware of the politics of such a descision.
D