[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 262
  • Last Modified:

How to deploy new security group to Windows XP desktop machines

I have 280 Windows XP desktop within my environment. We just hired a couple desktop support guys for the first time and would like to create a security group that allows them to just have admin rights to the desktops and not the servers.
How do I deploy the security group to the desktops without going to each machine and adding the group manually?
  • 8
  • 7
  • 2
  • +1
1 Solution
easiest is to create a group in AD and add this to the local machines by using GPO.

in group policy management you can add a security group to the local machine. make the policy a computer policy and implement. next time the computer object connects to the domain it gets the policy and thus the group.
mcsweenSr. Network AdministratorCommented:
Only way I know to do this is to use a specific AD group (like "JuniorAdmins") and create a new GPO that runs a computer startup script that looks like this

net localgroup administrators /add "JuniorAdmins"
If you mean that you want them to have administrator rights on the local machines then see http://www.microsoft.com/technet/scriptcenter/resources/qanda/sept05/hey0923.mspx
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

bigd563Author Commented:
I have never used GPO what are the basic steps in getting this done? I have already created the group DesktopAdmin and added the members to the group.  What are my next steps? Thanks in advance.
search for group policy management mmc and install it.. that's a start..

then open the mmc..

you will get a Active Directory Users and Computers (ADUC) client of view.

browse to the OU you want to implement this on. IE the computers OU.

Right click it and select create new GPO.

Here you can set all kind of goodie settings and they will be implemented on the clients.. since this a start for you.. I would create a new OU and place 1 machine in it.. and 1 user.. create a policy and login on the machine as the new user.. if nothing happend (or not quick enough) just start > run > gpupdate /force

Play around with it.. make sure it's in the test OU and make sure you at least screw up 1 machine .. you will get an idea of GPO and you will never want to live without it any more :-)

mcsweenSr. Network AdministratorCommented:
Do like RightNL said to get you started.  The specific setting that needs to be applied to get my solution working is

Computer Configuration --> Windows Settings --> Scripts (Startup/Shutdown) --> Startup

Create a batch file with this line in it

net localgroup administrators /add "DesktopAdmin"

Add that batch file.

Note that if your servers are in or below the same OU where you link this GPO you will have to create a security group to exclude servers from this policy.  Just create a new Global Group and add all of you servers to it then in Group Policy Management Console Click the policy, Click the Delegation tab, Click the Advanced button, Add the server group and set the permission for "Apply Policy" to deny.
mcsweenSr. Network AdministratorCommented:
FYI - the computer will have to be restarted to get this policy because startup scripts will only run at boot time.  You may want to do a gpupdate /force when testing to get the policy to the machine but it will still have to be restarted.  In production all computers will get the policy within a couple hours then the script will run on their next restart.
why ..
why so difficult ..
computer configuration > windows settings > security settings > Restricted groups

add a group here. and make it a member of  builtin\administrators.

you are done no need for scripts or anything else.
don't use scripts or batch files if not necessary this will only create more files that need to be available to the machine and make the gpo slower than necessary.. especially when in big domains with lots of dc's it will make replication unnecessary slow and painfull..

You can implement it as mentioned above .. I would try to learn and understand GPO so you can grasp the full power of it..

high level GPO is used to control policies that run on the clientcomputer.
there are 2 levels (computer policy and user policy) as the titles tell you the first runs for all users on the machine the second is active on a user account (doesn't matter on which computer the user logs on to)

With GPO you can set certain standard settings and enforce security restrictions for all / groups / OU's

the down side is that it doesn't report back so you will have to trust GPO to do it's work. Upside is once implemented they will stay active unless you take them out. (even if the pc is a laptop working without network access.)
another big plus is it's free ;o)

examples of common stuff done with GPO
enable or disable screensaver (with / without password)
set password policy
install software
set specific settings for office / windows
restrict access to local drives
add favorites / add trusted sites / set firewall options.

mcsweenSr. Network AdministratorCommented:
I do not believe this will work as he wants to make this AD group a member of the local admins group.  The solution I provided came directly from Microsoft support.  I needed to add Enterprise admins to the local administrator group and they provided this to me as a solution.
mcsweenSr. Network AdministratorCommented:
From Microsoft:

When you join a member server or workstation into a domain, System
doesn't add "Enterprise Admins" group into local administrator group.
Local administrator group only include "Domain Admins" group.

If you need full unrestricted access to all admin shares and remote
computer management on every server and workstation in every domain, we
need to add "Enterprise Admins" group into local administrator groups of
the member server or workstation.

1. Please go to a member server or workstation
2. Click start, click Run, type: lusrmgr.msc
3. Click the Group area
4. Double-Click the Administrators group
5. Add "enterprise admins" group into local administrator group

If you'd like to apply this setting automatically:

1. Please create a logon script on "Default Domain Policy" on the each
children domain.
2. Add the following command into a logon script file: net localgroup
administrators /add "enterprise admins"

For more information about how to create a logon script, I'd like to
recommend the following link to you:

Please try the suggestion shown above and tell me the result at your
earliest convenience. If there is anything related this issue I can help
you with, don't hesitate to let me know and I will be happy to help.

Best regards,

Harrison Jiang
MCSE, Support Professional

It will work .. it will place the domain group into the "Builtin\Administrators" group on the local machine (it should be a computer policy .. )

Try it before you say it doesn't work. the restricted part of GPO is build for this.. if the ms support engineer didn't know this than to bad for him.. I've seen MS consultants ruin complete networks and than providing a ooopps and leave the mess behind.. so I'm not really impressed with all of them..

I have this implemented and working like a charme..

But don't take my word for it ... read:


and ofcourse a quote from Technet..  
"Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers."

I rest my case
Why would Microsoft build the restricted groups functionality and then start explaining a way around it by batch files .... it really makes me want to give my microsoft certificates back.... and crawll in a corner and cry..

this is like selling a car to someone and then giving them a brick to put on the gas peddle and saying whatever you do don't use the cruisecontrol just but the brick on the peddle...

with the enterprise admins even... that is by default added to the local administrators through .... THE DEFAULT DOMAIN POLICY ....
I'm calling it a day ..

BigD563 good luck ..

mcsween which ever works for you is fine.. don't pay to much attention to the 3 links I put in there and the link KCTS put in there if it offends you..
mcsweenSr. Network AdministratorCommented:
OK, give it a rest...OMG are you so insecure that you are going to spend the rest of your day on this?
sorry it's been one of those days... and for you it might be just starting but for me the day is ending..

I'm just bit angry with MS for their advise against their own whitepaper etc etc didn't mean to take it out on you..
mcsweenSr. Network AdministratorCommented:
It's OK...just remember we are all here to help.  One solution is often better than another.  One thing I remembered is that I implemented that back when my domain was at w2k functionality.  When I migrated to W2k3R2 I eliminated all of the child domains so that solution was no longer required.

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 8
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now