Local Admin Group Policy for certain users on all computers of domain

How do we set up about 3 users through group policy or AD to have local admin rights on all computers that are on the domain except for domain controllers?  This is for a company that has 1 SBS 2003 server, 1 Terminal Server, and 1 File Server.  We do not want them having those rights on the servers, just the local computers that are joined to the domain.  All of the computers are Windows XP.  We don't want the other users to have local admin rights, only a select few.  We have tried several other posts yet nothing seems to get us where we need.  The other posts tell us to create a new OU, add a group, then add that group to "administrators".  The issue is that they then are administrators of the domain and the servers, not just the local pc's.  Thanks in advance for any assistance!!
cnitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
Hi!

There is one step missing in your procedure. You should create new GPO, link it to OU which contains computer accounts and then configure Restricted groups policy. I belive, that you've already did this part but with wrong GPO.

HTH

Toni
0
ryansotoCommented:
0
ryansotoCommented:
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

cnitAuthor Commented:
Ryansoto.... I have created the below script as a vbs but i am getting errors on line 8 among others.  What do i need to change to make this work on our domain using the following info:

Domain name = domain.local
Server name = dcserver01

THANKS!!
option Explicit 
 
Dim objGroup
Dim strComputer 
 
On Error Resume Next 
 
Variables you will want to change
strComputer = . Computer is Local 
 
Create Objects
Set objGroup = GetObject(WinNT:// & strComputer & /Administrators,group) 
 
Modify group memberships
objGroup.add(WinNT://DOMAIN/GROUPNAME,group)
Set objGroup = Nothing

Open in new window

0
cnitAuthor Commented:
....one other thing.  Will this be the best solution seeing that we only want a few users to have Local Admin rights of all workstations?  All the rest of the users need to not have local admin rights, just a select few.  But not on Domain Controllers.  Nobody but administrator needs local admin rights on those.

Thanks!
0
cnitAuthor Commented:
Toniur.... Can you elaborate?  I'm not sure where we took the wrong step.  We incorrectly ended up making the user an administrator of the domain.
0
ryansotoCommented:
In caps where it says domain and groupname (line 15) change that to your domain name and change the GROUPNAME to the active directory group you placed the users in.  (The users you want to have local admin access)

Here is another thread to get you going http://forums.techarena.in/showthread.php?t=454014
Just down there is another script (im nt sure if its the same one as I posted earlier but it will also work

In the snippet I pasted the only things you would change is 'mydomain' and 'mygroup'
I placed a XXXXXXX next to them to change.  Again 'mygroup' is the group you place your users in for the local admin (maybe something like local admin group)

Once you change the script and put in a gpo to run at startup this will place that group in the local admin group permanently so you dont need the script anymore once all machines have run the gpo.
Afterwards I would kill that gpo and then you can have fun just updating the 'local admin group' you create
Option Explicit
 
Dim strDomain, objNetwork, strComputer
Dim objLocalGroup, objDomainGroup
 
' Specify the NetBIOS name of the domain.
strDomain = "MyDomainXXXXXXXX"
 
' Retrieve NetBIOS name of local computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName
 
' Bind to local Administrators group.
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")
 
' Bind to domain group.
Set objDomainGroup = GetObject("WinNT://" & strDomain & "/MyGroupXXXXXXX,group")
 
' Check if the domain group is already a member of the local group.
If Not objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
' Add the domain group to the local group.
objLocalGroup.Add(objDomainGroup.AdsPath)
End If
 
' Clean up.
Set objNetwork = Nothing
Set objLocalGroup = Nothing
Set objDomainGroup = Nothing

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ryansotoCommented:
Also make sure the gpo you create only runs on the computers OU NOT the domain controller OU
This assumes you have all the local client machines in an OU.
0
cnitAuthor Commented:
ryansoto.... The script works only if the user is "already" a local admin.  Example:  if paul logs into the computer and he is not a local admin, the script won't add the correct group to local admins.  If we log into that computer as the domain administrator, the script runs and the correct group is then added to the local administrators group.  

To keep us from going to each computer and logging in as administrator first, how can we push this script out to the computers from the server which already is a local admin of all computers?  

Thanks!!  We're so close now!
0
ryansotoCommented:
How did you push the gpo out?

Logon and Logoff scripts run with the credentials of the user.

Startup and Shutdown scripts run with the credentials of the computer object.
0
ryansotoCommented:
Also the first script should work fine.  The reason your running into trouble on line 8
you have to replace all the  with 
Must be an ASCII thing

you have to replace all the  with  

Open in new window

0
ryansotoCommented:
In 2 posts above by the log on vs start up scripts -

Push the policy out using a startup script not a log on script in your GPO
0
ryansotoCommented:
Also here is another way

you can create startup script with the following command and link it to (or create a) GPO

 Net localgroup Administrators "DomainName\Domain Admins" /add

Since the startup script (not login script!!) runs under the context of the LocalSystem account, it has permissions to alter the local Administrators group.

Let me know if you still have problems

Ryan
0
cnitAuthor Commented:
Ryansoto,  Thank you very much for your help.  We ended up using a program called exe to service to install the local admin script that you helped us with.  That program allowed us to view the computers on the network and push the service to all computers, it would then run on the computer and after that would disable itself.

We couldn't have done it without your help!  Thanks!

0
cnitAuthor Commented:
Ryansoto,  Thank you very much for your help.  We ended up using a program called exe to service to install the local admin script that you helped us with.  That program allowed us to view the computers on the network and push the service to all computers, it would then run on the computer and after that would disable itself.

We couldn't have done it without your help!  Thanks!
0
ryansotoCommented:
No problem glad it worked out
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.