• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 475
  • Last Modified:

remotely changing local computer groups through script

We are in a Windows servere 2003 Active directory environment.

We currently have a group in active directory called LocalPCAdmins and a group called LocalPCPowerUsers. If we need a user to have administrative rights to there local pc we put them in the group called LocalPCAdmins. same goes if we just want a user to have poweruser rights to there local computer.
We do this to allow some users the ability to add programs to there computer.
Of course in order for this to work the local computer must be setup the following way.
In computer Management --> Local Users and groups --> Groups --> Administrators --> ADD DomainName\LocalPCAdmins  and Power Users  --> ADD LocalPCPowerUsers.

Now my problem , we just rolled out new workstations and the local machine was setup incorrectly. a nember of machines have both LocalPCAdmins and LocalPCPowerUsers set under Administrators. Which gives a user setup in active directory as a LocalPCPowerUser, full access to the local machine. and on some machines LocalPCPowerUser was just not added.

I know I can connect to each machine and correct the groups. That will take me days.
I can also reimage each of the machines . Again taking days and off hour work

I would like to know if there is a way through a script, or registry tweak, or something, to be able to remotely change these groups. Maybe even something that can run in a login script.

Let me know if this makes sense or if I need to clarify.

Hopefullt someone can help.

Yes I already know, I should have verified the image before rolling it out.

all local computers are windows XP SP2 or SP3 and they all have a local administrator account with the same password.

1 Solution
Chris DentPowerShell DeveloperCommented:


One possible option is to use the Restricted Groups functionality in group policy. Either to set explicit membership or add additional members.

Alternatively, very small computer startup scripts work well. e.g.:

net localgroup Administrators /Add yourdomain\LocalPCAdmiins
net localgroup "Power Users" /Add yourdomain\LocalPCPowerUser

Note that this would have to be a startup script, the user won't be able to elevate privileges to run this as a logon script (unless they are already administrators).


Mike KlineCommented:
Yes you can use restricted group via a group policy to define the groups in your local admin group on PCs
Florian has a great blog on the subject here:
This is how we populate our admin group on the PCs.
Many articles say that restricted groups wipes out all previous groups.  It can do that but it can also append.
Mike KlineCommented:
haha wrong link on my post...sorry about that
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Note that you can run those net commands with psexec from the sysinternals suite as well, then you don't have to worry about credential issues.  psexec will also run them on a list of computers.
Chris DentPowerShell DeveloperCommented:

On restricted groups...

Using "Member" wipes current membership. Using "Member Of" will allow you to append to existing membership.

Using Member:

1. Create a new restricted group
2. Enter the name of the local group, e.g. Administrators
3. Add the members to the group by searching on the domain

Every system effected by the policy will have the membership set to that value.

Using Member Of:

1. Create a new restricted group
2. Enter the name of the Domain Group you want to add to each local group
3. Search for the name of the Local Group you want to use. In the case of Administrators it will find the domain Administrators group, this is expected.

Not so sure about Power Users there. I suspect you can simply make a domain local group called Power Users, as a place-holder only.

As long as the policy only applies to client computers, not Domain Controllers, the change will only effect the client PC.

Regarding what Chris-Dent is explaining above, here is a KB article that I keep handy for my admins to hopefully avoid confusion about when to use Members and when to use MemberOf.


EkuskowskiAuthor Commented:
Startup script worked great, simple and does the job
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now