Question about a Startup Script (Adding a group into Local Admin)

[Saavyd]

The idea is to add a domin group into the local Administrators group of every pc in an OU.

I want to add the following code to the startup.bat file in the OU group policy starup scripts.

Net Localgroup Administrators TTM_Tech\TPCG483ADMIN /add

this in theroy should add the group TPCG483ADMIN to the local Administrators group when the computer stats up.

My question is, will the script work like this? Typically, only the administrator of the local computer can add users and groups to the Local administrators group.

 

[djtech2k]

If you get the syntax correct in the batch file it will work. You will want to set this up as a startup script. It will work because when it runs as a GPO, it will run with full control of your machine. It would NOT work if you put it in as a login script (ie ntlogin.bat) and a user that is not local admin logs into the machine.

 

[Daveyd123]

What about using a Restricted Groups GPO?

 

[djtech2k]

The problem with restricted groups is that you cannot make changes to it at all. This means adding or deleting. Often times, a local Administrators group needs to change for different machines. If you set that, its an "all or nothing" scenario.

 

[Daveyd123]

Not entirely true. I have a Restricted Groups GPO on my Domain. I have only Domain Admins and "Help Desk" belonging to the local admins group.

If I need to have a PC have different groups added to their local admins Group, I simply deny Read access to the GPO by that machine name and add whatever groups I want to that particular PCs local admin group

 

[djtech2k]

I understand that, but what I said is true IF the policy is being applied to the machine. Ofcourse if you do not apply the policy it will not apply.