Re: Remotely changing admin group membership on clients

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 01/17/04 

Date: Fri, 16 Jan 2004 20:48:32 -0500

You can use a restricted groups GPO but that will wipe the current
membership of the group and set it to what you want. I.E. If someone is set
locally, they will be gone.

You can use a startup script that has a line like NET LOCALGROUP
ADMINISTRATORS DOMAIN\GROUP /ADD
This will add the specific group but will only work when the machines are
rebooted.

Finally you could write some sort of script that loops through all of the
machines and either does an ADSI modify call or parses out to a command like
tool like LG (free win32 tools page of www.joeware.net ) to force the group
membership addition, however you need to be an admin on the machines to do
that.

   joe 

-- 
www.joeware.net
"SCavignac" <SCavignac.105dqc@mail.mcse.ms> wrote in message
news:SCavignac.105dqc@mail.mcse.ms...
>
> I am looking for a way to add a domain account to the local
> Admnistrator's group on all the Windows 2000 and Windows XP
> workstations in the domain.
>
> I do not want to add the account to the Domain Admins group because I
> do not want the person logging on to the local machine to perform
> certain tasks (which require administrative privilege) to be able to
> add or remove the workstation from the domain. The user account I want
> to use also needs to be able to connect remotely to administrative
> shares on the workstations.
>
> I was hoping to be able to use Group Policy or some other 'centralized'
> method to be able to place a domain user account or global group in the
> local admin group.
>
> I am open to any other suggestions as well.
>
> I really don't want to visit every workstation and add the user
> manually.
>
> Any ideas?
>
>
> SCavignac
> ------------------------------------------------------------------------
> Posted via http://www.mcse.ms
> ------------------------------------------------------------------------
> View this thread: http://www.mcse.ms/message292134.html
>

Relevant Pages

  • create account that can only add / remove machines; nothing else
    ... Delete machines to the Active Directory. ... and this group can add workstations to the domain ... To beat an almost dead horse, How do I make a user account only able to Add / ... Re-Add machine accounts into the Active directory? ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to disable ctrl-alt-del in a screen saver application
    ... Windows machines, the problem can be easily solved without you writing any ... each company user should have a domain user account. ... Each user in the SQL Server database is a domain user (or should ...
    (microsoft.public.dotnet.framework.windowsforms)
  • Re: My Documents - repost
    ... map to a share on the workstations. ... someone who is sitting at the file-server and logging onto that computer. ... It's not just adding another user account to the file-server's User ... In the permissions for the shared folder, username1 ...
    (microsoft.public.windowsxp.general)
  • Re: Upgrading to Windows 7 -- Why Bother?
    ... I swear to you that the boot times, and general usability are comparable for both machines. ... This is not the case in my tests, and I have put it on two workstations also, but I have 6 OS's on these workstations. ... Our old AMD systems outperform duo core machines handily. ...
    (microsoft.public.windowsxp.general)
  • Re: permissions in active directory
    ... Then the users need a domain user account to access the shares on the DC. ... Better join the machines to the domain and configure user accounts and dsiable the local machine accounts, move all data from workstations to the server and configure a share security regarding to the needs of your company structure. ... What share permission and what NTFS permission did you configure? ...
    (microsoft.public.windows.server.active_directory)