remotely changing local computer groups through script
Posted on 2009-02-09
We are in a Windows servere 2003 Active directory environment.
We currently have a group in active directory called LocalPCAdmins and a group called LocalPCPowerUsers. If we need a user to have administrative rights to there local pc we put them in the group called LocalPCAdmins. same goes if we just want a user to have poweruser rights to there local computer.
We do this to allow some users the ability to add programs to there computer.
Of course in order for this to work the local computer must be setup the following way.
In computer Management --> Local Users and groups --> Groups --> Administrators --> ADD DomainName\LocalPCAdmins and Power Users --> ADD LocalPCPowerUsers.
Now my problem , we just rolled out new workstations and the local machine was setup incorrectly. a nember of machines have both LocalPCAdmins and LocalPCPowerUsers set under Administrators. Which gives a user setup in active directory as a LocalPCPowerUser, full access to the local machine. and on some machines LocalPCPowerUser was just not added.
I know I can connect to each machine and correct the groups. That will take me days.
I can also reimage each of the machines . Again taking days and off hour work
I would like to know if there is a way through a script, or registry tweak, or something, to be able to remotely change these groups. Maybe even something that can run in a login script.
Let me know if this makes sense or if I need to clarify.
Hopefullt someone can help.
Yes I already know, I should have verified the image before rolling it out.
all local computers are windows XP SP2 or SP3 and they all have a local administrator account with the same password.