Our AD consists of about 20 groups where our different departments are not allowed to log onto other department/users computers. Example, bob is allowed to log onto his own computer and franks, but frank is not allowed into bobs. We have added a PCAdministrator Global Security Group and have added Jim to the group. We want this group to be added to all of the computers local administrators group but not the domain administrators group.
We understand that the script to do this will work but is full of security holes and the person logging in must be a local admin to have it actually run.
NET localgroup Administrators /add "Domain"\PCAdministrator
The Restricted Group method works great but will actually replace any local admins already in place. Since there are to many computers to go around to individually to add the PCAdministors group to even thru computer managment, we are figuring there must be a different /better method. Also the Restricted Group method added the PCAdministrator to the AD Builtin Administrators group...this is definitely not good.
Any help is greatly appreciated.