remotely changing local computer groups through script

Posted on 2009-02-09
Last Modified: 2012-05-06
We are in a Windows servere 2003 Active directory environment.

We currently have a group in active directory called LocalPCAdmins and a group called LocalPCPowerUsers. If we need a user to have administrative rights to there local pc we put them in the group called LocalPCAdmins. same goes if we just want a user to have poweruser rights to there local computer.
We do this to allow some users the ability to add programs to there computer.
Of course in order for this to work the local computer must be setup the following way.
In computer Management --> Local Users and groups --> Groups --> Administrators --> ADD DomainName\LocalPCAdmins  and Power Users  --> ADD LocalPCPowerUsers.

Now my problem , we just rolled out new workstations and the local machine was setup incorrectly. a nember of machines have both LocalPCAdmins and LocalPCPowerUsers set under Administrators. Which gives a user setup in active directory as a LocalPCPowerUser, full access to the local machine. and on some machines LocalPCPowerUser was just not added.

I know I can connect to each machine and correct the groups. That will take me days.
I can also reimage each of the machines . Again taking days and off hour work

I would like to know if there is a way through a script, or registry tweak, or something, to be able to remotely change these groups. Maybe even something that can run in a login script.

Let me know if this makes sense or if I need to clarify.

Hopefullt someone can help.

Yes I already know, I should have verified the image before rolling it out.

all local computers are windows XP SP2 or SP3 and they all have a local administrator account with the same password.

Question by:Ekuskowski
    LVL 70

    Accepted Solution



    One possible option is to use the Restricted Groups functionality in group policy. Either to set explicit membership or add additional members.

    Alternatively, very small computer startup scripts work well. e.g.:

    net localgroup Administrators /Add yourdomain\LocalPCAdmiins
    net localgroup "Power Users" /Add yourdomain\LocalPCPowerUser

    Note that this would have to be a startup script, the user won't be able to elevate privileges to run this as a logon script (unless they are already administrators).


    LVL 57

    Expert Comment

    by:Mike Kline
    Yes you can use restricted group via a group policy to define the groups in your local admin group on PCs
    Florian has a great blog on the subject here:;en-us;930045
    This is how we populate our admin group on the PCs.
    Many articles say that restricted groups wipes out all previous groups.  It can do that but it can also append.
    LVL 57

    Expert Comment

    by:Mike Kline
    haha wrong link on my post...sorry about that
    LVL 7

    Expert Comment

    Note that you can run those net commands with psexec from the sysinternals suite as well, then you don't have to worry about credential issues.  psexec will also run them on a list of computers.
    LVL 70

    Expert Comment

    by:Chris Dent

    On restricted groups...

    Using "Member" wipes current membership. Using "Member Of" will allow you to append to existing membership.

    Using Member:

    1. Create a new restricted group
    2. Enter the name of the local group, e.g. Administrators
    3. Add the members to the group by searching on the domain

    Every system effected by the policy will have the membership set to that value.

    Using Member Of:

    1. Create a new restricted group
    2. Enter the name of the Domain Group you want to add to each local group
    3. Search for the name of the Local Group you want to use. In the case of Administrators it will find the domain Administrators group, this is expected.

    Not so sure about Power Users there. I suspect you can simply make a domain local group called Power Users, as a place-holder only.

    As long as the policy only applies to client computers, not Domain Controllers, the change will only effect the client PC.

    LVL 13

    Expert Comment

    Regarding what Chris-Dent is explaining above, here is a KB article that I keep handy for my admins to hopefully avoid confusion about when to use Members and when to use MemberOf.


    Author Closing Comment

    Startup script worked great, simple and does the job

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
    The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now