We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


remotely changing local computer groups through script

Medium Priority
Last Modified: 2012-05-06
We are in a Windows servere 2003 Active directory environment.

We currently have a group in active directory called LocalPCAdmins and a group called LocalPCPowerUsers. If we need a user to have administrative rights to there local pc we put them in the group called LocalPCAdmins. same goes if we just want a user to have poweruser rights to there local computer.
We do this to allow some users the ability to add programs to there computer.
Of course in order for this to work the local computer must be setup the following way.
In computer Management --> Local Users and groups --> Groups --> Administrators --> ADD DomainName\LocalPCAdmins  and Power Users  --> ADD LocalPCPowerUsers.

Now my problem , we just rolled out new workstations and the local machine was setup incorrectly. a nember of machines have both LocalPCAdmins and LocalPCPowerUsers set under Administrators. Which gives a user setup in active directory as a LocalPCPowerUser, full access to the local machine. and on some machines LocalPCPowerUser was just not added.

I know I can connect to each machine and correct the groups. That will take me days.
I can also reimage each of the machines . Again taking days and off hour work

I would like to know if there is a way through a script, or registry tweak, or something, to be able to remotely change these groups. Maybe even something that can run in a login script.

Let me know if this makes sense or if I need to clarify.

Hopefullt someone can help.

Yes I already know, I should have verified the image before rolling it out.

all local computers are windows XP SP2 or SP3 and they all have a local administrator account with the same password.

Watch Question

PowerShell Developer
Top Expert 2010


One possible option is to use the Restricted Groups functionality in group policy. Either to set explicit membership or add additional members.

Alternatively, very small computer startup scripts work well. e.g.:

net localgroup Administrators /Add yourdomain\LocalPCAdmiins
net localgroup "Power Users" /Add yourdomain\LocalPCPowerUser

Note that this would have to be a startup script, the user won't be able to elevate privileges to run this as a logon script (unless they are already administrators).



Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Top Expert 2013

Yes you can use restricted group via a group policy to define the groups in your local admin group on PCs
Florian has a great blog on the subject here:
This is how we populate our admin group on the PCs.
Many articles say that restricted groups wipes out all previous groups.  It can do that but it can also append.
Top Expert 2013

haha wrong link on my post...sorry about that
Note that you can run those net commands with psexec from the sysinternals suite as well, then you don't have to worry about credential issues.  psexec will also run them on a list of computers.
Chris DentPowerShell Developer
Top Expert 2010


On restricted groups...

Using "Member" wipes current membership. Using "Member Of" will allow you to append to existing membership.

Using Member:

1. Create a new restricted group
2. Enter the name of the local group, e.g. Administrators
3. Add the members to the group by searching on the domain

Every system effected by the policy will have the membership set to that value.

Using Member Of:

1. Create a new restricted group
2. Enter the name of the Domain Group you want to add to each local group
3. Search for the name of the Local Group you want to use. In the case of Administrators it will find the domain Administrators group, this is expected.

Not so sure about Power Users there. I suspect you can simply make a domain local group called Power Users, as a place-holder only.

As long as the policy only applies to client computers, not Domain Controllers, the change will only effect the client PC.


Regarding what Chris-Dent is explaining above, here is a KB article that I keep handy for my admins to hopefully avoid confusion about when to use Members and when to use MemberOf.



Startup script worked great, simple and does the job
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.