<div>
I would suggest using group policy to &nbsp;add users to the local &quot;Power users&quot; group instead of having any local admins.<br />
<br />
<br />
<br />
<a href="http://www.windowsecurity.com/articles/Increasing-Security-Limited-User-Accounts-Restricted-Groups.html" rel="ugc">http://www.windowsecurity.com/articles/Increasing-Security-Limited-User-Accounts-Restricted-Groups.html</a><br />

</div>


<div>
I have the GPO ready to go with the startup I'm just hesitating to deploy it because I really don't want to move all those machines into all those different OU's. I may just create an OU called PC's and move them all into that and apply my policy there.
</div>


<div>
That would work just fine.<br />

</div>


<div>
HI there<br />
did you see my last post explaining that you can just create a group.<br />
Link the group to the GPO (i can show you how if you're not sure - its very easy)<br />
put the machines you want to effect into the group, you can even just put 1 machine in to test first, then add more after.<br />
<br />
The group can be anywhre you like so its not OU dependant.<br />
<br />
Krystian
</div>


<div>
What Krys is describing is known as security filtering and like he said we can help with that.<br />
or<br />
If you feel more comfortable with your method that works fine too for testing.<br />
Either way great job on testing first, you always want to do that with group policies.<br />
&nbsp;<br />
Thanks<br />
Mike<br />
&nbsp;<br />

</div>


<div>
<div class="content wysiwyg-content">
Does anyone know of a way to add a specific group to the local admin account of multiple user machines which do not grant the end user local admin rights. &nbsp;99% of our users have had their local admin rights taken away. We did this for varioius reasons. One of which was users kept removing the desktop admin accounts from the local admin group on their PC. I fixed that with a simple logon script using (net localgroup administrators &quot;mydomain\desktop admins&quot; /add) to a GPO logon script I have. The problem I have now is that this doesn't work anymore since we've taken away the local admin rights of the users.<br />
<br />
My question is this. I know I can add the same logon script as a GPO under the computer configuration so it will run at startup and bypass the required local admin credential issue. Is there any other way to do this ? I'm asking because I don't want to move all my computer accounts to the various OU's I have setup in AD to make this work. &nbsp;Oh, and adding the group to each machine one at a time using the computer manager isn't a road I want to follow either.<br />
<br />
Thanks
</div>
</div>


Does anyone know of a way to add a specific group to the local admin account of multiple user machines which do not grant the end user local admin rights.  99% of our users have had their local admin rights taken away. We did this for varioius reasons. One of which was users kept removing the desktop admin accounts from the local admin group on their PC. I fixed that with a simple logon script using (net localgroup administrators "mydomain\desktop admins" /add) to a GPO logon script I have. The problem I have now is that this doesn't work anymore since we've taken away the local admin rights of the users.

My question is this. I know I can add the same logon script as a GPO under the computer configuration so it will run at startup and bypass the required local admin credential issue. Is there any other way to do this ? I'm asking because I don't want to move all my computer accounts to the various OU's I have setup in AD to make this work.  Oh, and adding the group to each machine one at a time using the computer manager isn't a road I want to follow either.

Thanks

Local Admin rights with logon script

Microsoft Windows XP is the sixth release of the NT series of operating systems, and was the first to be marketed in a variety of editions: XP Home and XP Professional, designed for business and power users. The advanced features in XP Professional are generally disabled in Home Edition, but are there and can be activated. There were two 64-bit editions, an embedded edition and a tablet edition.

Windows XP

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.