Using GPO to add user to Local Administrator Group 1

[Rockabee]

Hi All,

I am sure this must be a simple task but not being a programmer I am having trouble sorting out the syntax.

I have a network whereby the users will quite often sit at different machines from day to day. Our software writers will dump software updates onto the server overnight. In order to get the updates automatically at Logon the user has to be a member of the local administrators group.

Question: Using Group Policy to try and make a user a member of the Local Administrators Group I have created a domain group called "Techies" and placed all the users in it. I have then created an OU called LocalAdmins. I then created and linked a Policy to it. In the Policy under User Configuration\Windows Settings\Scripts\Logon I have linked a cmd file with the following line:

net localgroup administrator [Domain]\localadmins /add

Surprise Surprise it doesn't work.

Can I actually do what I am trying to do and if so, How?

BTW the Server is Win2003 and the workstations are all XP Pro.

Regards,

RB

 

[monsterjta]

You logic is backwards. Your script needs to add the domain user to the local administrators group. Looks like you're attempting to add the local administrator user account (not group) to the localadmins OU?

Hope This Helps,

Good Luck!

 

[Roadki11]

You should create a Security Group in AD called LocalPCAdmins or what not. Add this group to the local pc administrators group in any fashion you wish. Add the users to the LocalPCAdmins group in AD that you want to have local admin rights on any given pc. This helps keep things cleaner and easier to manage, you can add and remove users quickly from the local administrator group from AD.

Hope this helps,

RoadKi11

 

[PU36]

To amke things easy look into the GPO setting of "Restricted Groups" This setting allow you to place any Global/Local Group inside the local machine groups.

Example, I have placed a Global Group called, "IT" into the local computer's Administrator group.

Here is the link to help.

http://technet2.microsoft.com/Windo...fe71-47f7-86fd-412f013a40cd1033.mspx?mfr=true

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

 

[58sniper]

Redirected Groups is the way to go. On top of being able to ADD things to it, it'll make the group match the policy. So - if there are already other members in that group, the policy will remove them (if your policy doesn't specify them). Make sure your policy using Restricted Groups includes the Domain Admins!

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[Rockabee]

Hi All,

Well thanks to you all for the replies, as usual there is always at least three ways to do things in Windows.

On this occasion I will follow the advice offered by Magnum1976, the links he offered to resticted groups looks like the way I should be doing things, so Star to him and many, many, thanks to the rest of you.

Thanks Guys.

 

[djtech2k]

Restricted groups is great BUT keep in mind that you cannot add/remove anyone to groups on those machines on an individual level. Any changes must be applied policy wide and cannot be done per pc. I started to do this myself and realized that once you put in the restricted group, NO changes are allowed at any level unless you change the policy for everyone.

I decided to use a startup script that does a net localgroup in the bootup environment.

 

[58sniper]

You can have multiple GPOs that configure group membership with Restricted Groups, and just use filtering or OUs to hit the appropriate machines.

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt