Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1425
  • Last Modified:

How to add a domain group to the local Administrators group via GPO (AD 2003 Native)

I need to add a domain group to the Local Administrators group via Group Policy without restricting (deleting) existing accounts and groups which are already part of Local Administrators group.  Also, I need to reset a local admin password through GPO to a particular one as well.
1 Solution
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
use the MemberOf instead of Member in Restricted Groups

I know of no way to change the password through Group Policy. You can rename the local Administrator account using Group Policy.

For changing the password you can use cusrmgr.exe
You can assign a startup (not logon) script via GPO to reset local admin password.  It works, but it may have security implications since the password is stored in plain text.  I leave the security part up to you to figure out.  ; )

@echo off
net user Administrator <password>

You could probably use the same "net" command  to add users to the local admin group, if the "Restricted Groups" policy in Group Policy does not work out.  try "net localgroup /?" at a command-prompt for more info.
ihsupportAuthor Commented:
I am trying to avoid enabling this through scripts.  I still would like to do it through GPO. thanks.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

I'm pretty sure there is no way to change passwords directly using Group Policy.

The NET USER ADMINISTRATOR command suggested by krawz187 is the best bet. You do not need to encode the password in the script however...

Create a 'parameterised' startup script as follows;

@echo off
@NET USER Administrator %1

When you assign the script, you can set the required password in the command line parameters box.
I have not heard of any standard GPO templates that would allow you to change a password. It might be possible to create your own (I did a small amount of research into this) but it is not a simple task and would have to be really critical for me to warrent the time investment.

Using a script or making a small compiled program is going to be the simplest solution. If you don't have a programming tool like Visual Studio or C++ you can use a program like AutoIt. AutoIt is not quite as secure as a true compiled program but does afford some security.

BTW AutoIt is freeware. There is also a simillar tool called RunAs Pro (not freeware) that has a better compiler and provides a more secure app.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now