local workstation groups on server?

when adding a domain user account to a group under Member Of for the user's properties, how can i add groups from their local workstation machines?

the Look In pull down is greyed out and i can only select the domain name.

basically, i want to give the domain accounts they log into their workstations with local administrative priveleges, but still keep them as Domain Users.

thanks!
LVL 1
loyaliserAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mdiglioCommented:
Hello,
Make sure you are logged into the domain when trying to do this and
you are using an account that would have the proper permissions to perform this task.

Let us know if this is already the case.
loyaliserAuthor Commented:
i am logged into the server using the administrator account. i go into the active directory manager and try to add local groups to the domain accounts but cannot, because the Look In pull-down is locked to the domain only... i cannot select a workstation on the network.

thanks!
mdiglioCommented:
Hello,
I think you are going about this the wrong way.
You cannot add a local workstation group to a domain user's 'member of' property.

You need to add the domain user to the local workstation's group.

To avoid visiting each machine you can follow these steps
right click my computer >> manage >> right click "Computer management local" >>  "connect to another computer"

Or you can copy the code below into a text file >> change the variable Names >> give the file a .vbs extension

strPDC="ServerName"
strLocalMachine="Workstation"
strUser="domainUser"
strGroup="LocalGroup"
Set oDomain = GetObject("WinNT://" & strLocalMachine)
Set oGroup = oDomain.GetObject("Group", strGroup)
oGroup.Add ("WinNT://" & strPDC & "/" & strUser)
Set oDomain=Nothing
Set oGroup=Nothing

Hope this helps  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

mdiglioCommented:
Hello,
I should rephrase one part :

To avoid visiting each machine you can follow these steps
right click my computer >> manage >> right click "Computer management local" >>  "connect to another computer" >>
expand "local users and groups" >> click on "Groups" >> double click "Power Users" >> click "ADD" >> fill in the domain name
prelude812Commented:
loyaliser -
what you are trying to do, is not possible through windows 2000- because if it was there would b e no security in windows 2000.

you cannot add a local user object or computer object to a servers local usere groups, you can only add a DOMAIN\SECURITY-GROUP or DOMAIN\USERID to the local groups.
prelude812Commented:
From the way you are going about thing, i can tell you are from the NT4 administration erra, so here is what you need to do to get you users where they need to be,

First create a UserID in your AD (all referenced to a 2000 Domain will be AD=Active directory)
now go to the PC with the local user you want to have domain rights.
log on as the Local Admin, add the DOMAIN/USERID to the LOCAL ADMINS group (this keeps the user a local admin of this machine while having domain privelages)
logg offf admin, logon as DOMAIN/USERID

loging on to the domain you have three options that have to be filled in

USER ID
Password
DOMAIN (MAKESHURE THIS IS THE DOMAIN AND NOT THE LOCAL PC)

once loged on, you should have a clean desktop, restart the computer and log back on as LOCAL ADMINISTRATOR

right click on MY computer, click the User Profiles click on the COMPUTERNAME\USERID profile
then click [copy to], then browse to the documents and settings > userid.domain
copy it to that folder, then change the "permitted to use" to DOAMIN\USERID

now you can add your DOMAIN\USERID to your servers local groups and not affect any thing fo rthe user

mdiglioCommented:
Thank you, I'm glad you got it working
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.