How to add a domain group to the local Administrators group via GPO (AD 2003 Native)

Posted on 2007-10-01
Last Modified: 2012-08-14
I need to add a domain group to the Local Administrators group via Group Policy without restricting (deleting) existing accounts and groups which are already part of Local Administrators group.  Also, I need to reset a local admin password through GPO to a particular one as well.
Question by:ihsupport
    LVL 18

    Expert Comment

    by:Jeremy Weisinger
    use the MemberOf instead of Member in Restricted Groups

    I know of no way to change the password through Group Policy. You can rename the local Administrator account using Group Policy.

    For changing the password you can use cusrmgr.exe
    LVL 1

    Accepted Solution

    You can assign a startup (not logon) script via GPO to reset local admin password.  It works, but it may have security implications since the password is stored in plain text.  I leave the security part up to you to figure out.  ; )

    @echo off
    net user Administrator <password>

    You could probably use the same "net" command  to add users to the local admin group, if the "Restricted Groups" policy in Group Policy does not work out.  try "net localgroup /?" at a command-prompt for more info.

    Author Comment

    I am trying to avoid enabling this through scripts.  I still would like to do it through GPO. thanks.
    LVL 8

    Expert Comment

    I'm pretty sure there is no way to change passwords directly using Group Policy.

    The NET USER ADMINISTRATOR command suggested by krawz187 is the best bet. You do not need to encode the password in the script however...

    Create a 'parameterised' startup script as follows;

    @echo off
    @NET USER Administrator %1

    When you assign the script, you can set the required password in the command line parameters box.
    LVL 9

    Expert Comment

    I have not heard of any standard GPO templates that would allow you to change a password. It might be possible to create your own (I did a small amount of research into this) but it is not a simple task and would have to be really critical for me to warrent the time investment.

    Using a script or making a small compiled program is going to be the simplest solution. If you don't have a programming tool like Visual Studio or C++ you can use a program like AutoIt. AutoIt is not quite as secure as a true compiled program but does afford some security.

    LVL 9

    Expert Comment

    BTW AutoIt is freeware. There is also a simillar tool called RunAs Pro (not freeware) that has a better compiler and provides a more secure app.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now