Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I add another local admin group on new machines??

Status
Not open for further replies.
unclerico

unclerico

IS-IT--Management
Jun 8, 2005
2,738
US
Whenever I join a machine to my domain, the Domain\Domain Admins group is added to the Administrators group on the local machine. How can I make it so that when machines get added to the domain both the Domain\Domain Admins group and the Domain\Help Desk group get added to the local Administrator group?? Hope this makes sense. Thanks.
 
Sort by date Sort by votes
I think this can be via Group Policy...

I am not sure if this is only a option on 2k3 or 2k but I have done it before.
 
Upvote 0 Downvote
If this is a GPO, can someone nudge me in the direction of the Key to look for?? thanks.
 
Upvote 0 Downvote
use net localgroup localgroupname %username" /add, u might check net help localgroup for syntax.

------------------------------------
Directory Services/Exchange Consultant
 
Upvote 0 Downvote
benlu, thanks for that, however, I keep getting "System Error 5 has occurred. Access is denied". My syntax is as follows:
Code: 
net localgroup Administrators "Domain\Help Desk" /add
Any ideas?? Thanks.
 
Upvote 0 Downvote
u need to logon that box as admin to add any user acount into local admin group.

------------------------------------
Directory Services/Exchange Consultant
 
Upvote 0 Downvote
you can write a vb script to do this

strComputer ="computername"
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
Set objUser = GetObject("WinNT://domain/groupname, group")
objGroup.Add(objUser.ADsPath)

this is not a login script ,you can execute it with the domain admin account .
 
Upvote 0 Downvote
thanks benlu and hartlen, although I don't think that this will solve my problem. What I would like is for the Domain\Help Desk group to be added to the local administrators group on the client machine without anyone from the Domain\Help Desk group needing to first log on as an admin because that would defeat what I am trying to accomplish. I have tried to use Restricted Groups in Group Policy and it worked for the most part except the Domain\Help Desk group got added to the Builtin - Administrators group in AD which I did not want to happen. This is supposed to accomplish two things:
1) I have build a custom console (using Taskpad views) so that the Help Desk group can reset passwords and unlock user accounts. The way it is set up currently works for this portion because the Help Desk group can only perform those tasks and only on the specified OU's.
2) I need for the Help Desk group to be configured as local admins for when they go to users work areas and troubleshoot issues with the pc's. When I got this functionality to work by using Restricted Groups it superceded my security restrictions on #1 above and allowed the Help Desk group to do anything that they wanted with the custom console.

I am probably just babbling on and on, but I am hoping that there is a solution to this one. Thanks a lot.
 
Upvote 0 Downvote
Can you just not make the Helpdesk security group a member of the Local Administrators security group in AD or failing that make the Helpdesk security group a member of the builtin Administrators group? Anyone then logging onto a PC as a Helpdesk user would then have total control over the machine without having to be set up as a user on the PC.
 
Upvote 0 Downvote
emozley, that is what I did with the Restricted Groups GPO that I created...it worked, however, it also let the Help Desk group do what ever they wanted in AD as opposed to being locked down to only do password resets and unlocking accounts. Maybe I missed something??
 
Upvote 0 Downvote
Use can create a security template that can have the users you want added to the local admin group. Once you create the template you can put it in a GPO that is assigned to the OU with the machines you want.
 
Upvote 0 Downvote
tubbaguts and the rest thanks for your help but I think I have it figured out, well maybe. I created a test OU and placed a single machine inside of it...I created a GPO under Computer Configuration | Windows Settings | Scripts | Startup and created a script to do the following:
Code: 
net localgroup Administrators "Domain\Help Desk" /add
It works beautifully. I had tried this before (as posted earlier) and it didn't work, however, in researching this further I found out that NTFRS replication was not functioning correctly so none of the changes being made were replicating between both DC's. I have since fixed the replication issue and everything is working beautifully. If anyone can think of security issues or performance issues or anything else about my method please let me know. Thanks.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
336
ADB100
ADB100
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
344
hairlessupportmonkey
hairlessupportmonkey
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
925
goombawaho
goombawaho
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
562
DTGMI
DTGMI
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
381
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top