Members in Group To Local Admin Group

[JannieEss]

Currently using a Startup Script To add a "Security Group" to the "Local Administrators" group on Workstations in a Specific OU. More the 2000 Workstations in OU. With this implementation, all users that are in the "Security Group" that are added to the "Local Administrators" group, can administer other workstations.
What I need:-
Using the existing "Security Group", I only want those members to be added to the "Local Administrators" group without sending technicians around doing it. "Restricted Groups" will not help me here, because I'll run in the same problem.
I know what I want, but have no clue how to do this....Maybe logon script that check to see if the user is part of this group and add only his %username% in the "Local Administrators" group. If someone did have a solution that might have been published, I'm the newy here in this forum.

 

[qtin]

What problem will Rectricted Groups not let you avoid? Via a policy you can add what ever group you want into the local admin group. If you do it via policy it wipes everything (including local administrator account) and replaces it with what you define.

http://support.microsoft.com/default.aspx?scid=kb;en-us;320065

 

[JannieEss]

Will sound sarcastic, but as mentioned, I do not wish to use "Restrcited groups", because I wish to add individual users in the "Local Administrators" group and not a "Security Group".

I know the feature, using "restricted Groups" will whipe everything, but my clients are in risk if I add groups to the "Local Administrators" group, then all memebrs in that group can browse those workstations. (Are Administrators of those workstations"

Example:-
If a user belongs to a "Security Group", add that user to the "Local Administrators" group.

 

[twospoons]

why can't you just use this in your login script

net localgroup administrators "DOMAIN\GROUPNAME" /add

hope that helps.

 

[mrmoneymatters]

JannieEss, I have a startup script that you can push out to all machines using group policy that adds any specified group to the local admins group on the workstations, let me know if you would like it.

 

[mlichstein]

I do not wish to use "Restrcited groups", because I wish to add individual users in the "Local Administrators" group and not a "Security Group".

"If a user belongs to a "Security Group", add that user to the "Local Administrators" group."

Your post is very confusing to me. Those two statements above conflict with each other. Do you want to add all users that are members of a particular group to the local administrators group on specific workstations? If so, restricted groups is what you are looking for.

I think some clarification is needed with what you are looking to accomplish.

 

[JannieEss]

MrMM,
It seems that no one do not understand what I'm trying to achieve.
You can send me the script if you want, let's clear this up quickly.
I know how to use "Restricted Groups" to limit group membership to the "Local Administrators" group. This option I can use, to make sure that the group that should have admin rights to his/her workstation will apply. NOT WHAT I WANT.
I know how to use a "startup script" to populate a group to the "Local Administrators" group for those that need admin rights. THIS IS NOT WHAT I WANT

Scenario:-
I've got different OU's of workstations, ..let say Laptops and Desktops..With applications that require a user to have admin rights on his/her workstation, I need to provide something to make that user's workstation are secure. When applying groups to the "Local Administrators" group, all members in that group can manipulate any workstation where the group are applied. This option "applying a security group to the local administrators group" is not feasible, because I'm opening that workstations to all members in that group.

Solution:-
Not applying a group to the "local administrators" group, I wish to add individual user accounts to the "local administrators" group, keep in mind, I'm sitting with more that 2000 workstations in these OU's. My requirements are to check if a user belongs to a "Security Group", then add his/her account to the "Local Administrators" group.

Maybe scripting using a "logon script" can work, but this script has to run against a "Domain Admins" account, to check if the user belongs to this "Security Group" add his/her account to the "local Administrators" group.

I'm not sarcastic here, but I do not wish "Restricted Groups" OR "Startup Script" to add groups to the "Local Administrators" group, BUT check if a user belongs to a "Security Group" and add his/her account to the "Local Administrators" group.

Thanks for all the assistance so far, but unfortunately I cannot use any of the suggestions, because I'm using it currently, but that workstation is not secure to give everyone access to one workstation when a group is applied.

 

[qtin]

If you would like somebody to be a local admin for only as long as they are logged into the PC add the local account INTERACTIVE to the local administrator group.

Pos - Users can not browse default shares of other PCs
Neg - ANYBODY that logs into that PC will be a local admin unless you did something wacky in a script checking group membership to add Interactive if needed. You would also need to pull it out when they logged off (or removed it at the start of the logon script for the next person).

More of what you were looking for?

 

[JannieEss]

QTIN,

Almost what I want, but as you mentioned, I want to use a startup script checikng the memebrship of a group and that that user in the group to the "Local Administrators" group.

The INTERACTIVE account I will still be running a risk with to give everyone logging onto his/er workstation that have admin rights.

HOW?
I do have some sort of a script that will do this, but can someone assist how to run this as a logon script and use the runas command.
REASON!
The logon user will have no admin rights to add his/her account to the admin group, but if I can build a runas command using a domain admin account to do the additions then I'm good to go