Adding domain group to local machine Administrators group. Not domain group Administrators. Through domain Group policy.

leaveweb
leaveweb used Ask the Experts™
on
I am working on the Group policy for my domain and i cannot seam to find the right place to add the domain level group to the local administrators group on the clients through Group policy without it affecting the domain level group administrators. Everytime i try it through group policy it seams to also add the group to the domain level Administrattors which i do not want. Any ideas?

 The Dc running Group policy is a windows server 2008 box. Most of the clients are either XP or Win 7.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:


1>>> Use the script below:

This VB Script adds a domain user account to the local machine's administrators group. There are two variables that need to be changed in the script to match the organization. The first is the DomainName variable, and the second is the UserAccount variable. Save as a .VBS script and run with CScript.

Scroll down to view the script.



--------------------------------------------------------------------------------

Script to add domain user account to local Administrators group

--------------------------------------------------------------------------------

Dim DomainName
Dim UserAccount
Set net = WScript.CreateObject("WScript.Network")
local = net.ComputerName
DomainName = "DomainName"
UserAccount = "userAccount"

set group = GetObject("WinNT://"& local &"/Administrators")

on error resume next
group.Add "WinNT://"& DomainName &"/"& UserAccount &""
CheckError

sub CheckError
      if not err.number=0 then
      set ole = CreateObject("ole.err")
      MsgBox ole.oleError(err.Number), vbCritical
      err.clear
else
      MsgBox "Done."
end if
end sub

OR follow the steps mentione below:
http://www.experts-exchange.com/Operating_Systems/Q_21069603.html

Author

Commented:
I have adjusted the script with domain name and user account names and it still does not update the admin group. here is a example of what i changed. or did i need to change more in the script to make it work. I do not get an error i simply get no results.

Dim DomainName
Dim UserAccount
Set net = WScript.CreateObject("WScript.Network")
local = net.ComputerName
DomainName = "mydomain"
UserAccount = "machineuser"

set group = GetObject("WinNT://"& local &"/Administrators")

on error resume next
group.Add "WinNT://"& DomainName &"/"& UserAccount &""
CheckError

sub CheckError
      if not err.number=0 then
      set ole = CreateObject("ole.err")
      MsgBox ole.oleError(err.Number), vbCritical
      err.clear
else
      MsgBox "Done."
end if
end sub

Commented:


Check out the different scripts

http://www.vistax64.com/vb-script/174376-add-domain-group-local-group-question.html
http://www.computerperformance.co.uk/ezine/ezine112.htm

Or else ]

You can use a simple logon or machine startup script similar to the following command to add a global group to a local Administrator group:

net Localgroup Administrators "Domain\Deferred Processor" /add

Note that you must place quotes around names that have spaces in them.
Systems engineer
Top Expert 2008
Commented:
Use Restricted Groups in GPO
As I understand your problem, you've linked the GPO to domain level causing it to also affect the domain controllers instead of linking it to a specific OU containing the computer objects that shall be affected.

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial