Add AD Group to Local Admin of all servers

I have a group in Active Directory named ITGroup, I have 20+ servers that I want to make the ITGroup a Local Admin on.  Is there any script that will allow me to do this automatically; avoiding the need to log into each server individually and add the group?
LVL 3
LouSch7Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

angel_fire2701Commented:
You can do that with Group Policy.
0
marcokrecicCommented:
link this script .vbs in a GPO (logon script) and apply to an Organization Unit that contain all your servers.
save your script(adminscript.vbs) in netlogon folder in your DC

on error resume next

Set objShell = CreateObject("WScript.Shell")
Dim grp

Set grp = GetObject("WinNT://./Administrators")
grp.Add ("WinNT://DNSDOMAINNAME/ITGroup")

objShell.LogEvent 0,"adminscript.vbs executed"
0
Mike KlineCommented:
Group policy is the way to go and specifically restricted groups.  Florian has a great blog entry on it here

http://www.frickelsoft.net/blog/?p=13

As you can see you can either add to what is there or wipe out and add what you define (‘’Memberof’’ adds a group, ‘’Members’’ replaces it.)

Get a feel for it on a few test machines first.

Thanks

Mike
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

LouSch7Author Commented:
Awinish;

your response looks like it is for password resets of the local admins not adding an AD group to the local admins.

Everyone else I am testing out your solutions on a sandbox.

Might there be a WMI script solution for this?
0
AwinishCommented:
0
marcokrecicCommented:
This vbs script work perfectly in my AD Forest 2003 R2.
link  to an Organization Unit that contain all your servers (logonscript).
--------------------------------------------------------------------------
on error resume next

Set objShell = CreateObject("WScript.Shell")
Dim grp

Set grp = GetObject("WinNT://./Administrators")
grp.Add ("WinNT://DNSDOMAINNAME/ITGroup")

objShell.LogEvent 0,"adminscript.vbs executed"

--------------------------------------------------------------------------

change DNSDOMAINNAME with the DNS namespace of your AD domain.
0
iimtiazCommented:
HI,
There is no need of VBS script and GPO. Why dont you try Microsoft psexec.exe tool to do so,
I have faced the same scenerio and used that tool, Given is the command according to your environmet. Just need to create a compuetrs.txt file and write all the servers name in it and save it on same location where psexec tool is located (try to save all in C drive). Now type the following in command prompt and just change the contoso with  your domain name .
psexec.exe @computers.txt net localgroup administrators /add "contoso\ITgroup"
there you have a link to download the psexec tool
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx 
Hope and sure it will help u alot.
Thanks
Iftikhar
0
Mike KlineCommented:
psexec is an ok tool but no way I'd use it for to change ever admin on every machine.   Not sure why you would dismiss restricted groups.

When you run psexec it has to install the service, then start the service, copy the executable, then run it, then stop the service, then uninstall...very cumbersome for every machine.  Why would you want the extra overhead?

Thanks

Mike
0
iimtiazCommented:
That is one way to do so. If you have to do it once i dont think its a big deal. i have experinced around 7500 machines and used the same tool. Definitly it works like you said but if it is achiving goal so i think its good to use it. and once you run the command it will not give you any extra work to do. and for 20 to 30 machines i think its best  to use it.
Thanks
Iftikhar
 
0
eridzoneCommented:
yes psexec is the best tool i have used to run application remotely, i really recommend iimtiaz approach
even in pstools there are so many other utilities like psloggedon which tells you who is logged on to which PC
0
Mike KlineCommented:
Group policy will also do this so that is what we use, different methods all end up with the same outcome.

Thanks

Mike
0
AwinishCommented:
Mike's way is correct & i think its the simplest way to do it,configure restricted gpo,apply on computer ou,reboot the system & you are done.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.