[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 397
  • Last Modified:

Add AD Group to Local Admin of all servers

I have a group in Active Directory named ITGroup, I have 20+ servers that I want to make the ITGroup a Local Admin on.  Is there any script that will allow me to do this automatically; avoiding the need to log into each server individually and add the group?
0
LouSch7
Asked:
LouSch7
  • 3
  • 3
  • 2
  • +4
1 Solution
 
angel_fire2701Commented:
You can do that with Group Policy.
0
 
marcokrecicCommented:
link this script .vbs in a GPO (logon script) and apply to an Organization Unit that contain all your servers.
save your script(adminscript.vbs) in netlogon folder in your DC

on error resume next

Set objShell = CreateObject("WScript.Shell")
Dim grp

Set grp = GetObject("WinNT://./Administrators")
grp.Add ("WinNT://DNSDOMAINNAME/ITGroup")

objShell.LogEvent 0,"adminscript.vbs executed"
0
 
Mike KlineCommented:
Group policy is the way to go and specifically restricted groups.  Florian has a great blog entry on it here

http://www.frickelsoft.net/blog/?p=13

As you can see you can either add to what is there or wipe out and add what you define (‘’Memberof’’ adds a group, ‘’Members’’ replaces it.)

Get a feel for it on a few test machines first.

Thanks

Mike
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
LouSch7Author Commented:
Awinish;

your response looks like it is for password resets of the local admins not adding an AD group to the local admins.

Everyone else I am testing out your solutions on a sandbox.

Might there be a WMI script solution for this?
0
 
AwinishCommented:
0
 
marcokrecicCommented:
This vbs script work perfectly in my AD Forest 2003 R2.
link  to an Organization Unit that contain all your servers (logonscript).
--------------------------------------------------------------------------
on error resume next

Set objShell = CreateObject("WScript.Shell")
Dim grp

Set grp = GetObject("WinNT://./Administrators")
grp.Add ("WinNT://DNSDOMAINNAME/ITGroup")

objShell.LogEvent 0,"adminscript.vbs executed"

--------------------------------------------------------------------------

change DNSDOMAINNAME with the DNS namespace of your AD domain.
0
 
iimtiazCommented:
HI,
There is no need of VBS script and GPO. Why dont you try Microsoft psexec.exe tool to do so,
I have faced the same scenerio and used that tool, Given is the command according to your environmet. Just need to create a compuetrs.txt file and write all the servers name in it and save it on same location where psexec tool is located (try to save all in C drive). Now type the following in command prompt and just change the contoso with  your domain name .
psexec.exe @computers.txt net localgroup administrators /add "contoso\ITgroup"
there you have a link to download the psexec tool
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx 
Hope and sure it will help u alot.
Thanks
Iftikhar
0
 
Mike KlineCommented:
psexec is an ok tool but no way I'd use it for to change ever admin on every machine.   Not sure why you would dismiss restricted groups.

When you run psexec it has to install the service, then start the service, copy the executable, then run it, then stop the service, then uninstall...very cumbersome for every machine.  Why would you want the extra overhead?

Thanks

Mike
0
 
iimtiazCommented:
That is one way to do so. If you have to do it once i dont think its a big deal. i have experinced around 7500 machines and used the same tool. Definitly it works like you said but if it is achiving goal so i think its good to use it. and once you run the command it will not give you any extra work to do. and for 20 to 30 machines i think its best  to use it.
Thanks
Iftikhar
 
0
 
eridzoneCommented:
yes psexec is the best tool i have used to run application remotely, i really recommend iimtiaz approach
even in pstools there are so many other utilities like psloggedon which tells you who is logged on to which PC
0
 
Mike KlineCommented:
Group policy will also do this so that is what we use, different methods all end up with the same outcome.

Thanks

Mike
0
 
AwinishCommented:
Mike's way is correct & i think its the simplest way to do it,configure restricted gpo,apply on computer ou,reboot the system & you are done.
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

  • 3
  • 3
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now