?
Solved

Add AD Group into Local Administrators Group on Server 2003 via GP & Startup Script

Posted on 2011-05-05
12
Medium Priority
?
713 Views
Last Modified: 2012-05-11
I remember this being SO simple:

1)
Create a NET LOCALGROUP .bat/.cmd script

NET LOCALGROUP Administrators groupname "ServerAdmins" /ADD

2)  In Group Policy Management select the OU where you want the GPO to be applied
3)  Create "...new GPO and Link it here..." named <AddSrvAdmToLocal>
4)  Edit this GPO by modifying the Computer Config | Policies | Windows Settings | Scripts Item
5)  Open the Startup script object in the right pane and click add to choose the script to run when the computer starts up.
6)  Close editor and add impacted devices under the Scope tab of the GPO (e.g. - Domain Computers)
      a. in this case I have specifically chosen a couple of non-production servers and added those.

Doing Group Policy Modeling shows the GPO as being applied.

However, when I reboot the two servers nothing happens.  The group does not get added.

Something in the back of my mind tells me that I am missing something but I can't for the life of me think of what it might be.
0
Comment
Question by:LateNiteR
  • 5
  • 4
  • 3
12 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35701832
Perhaps see what it throws (and at the same time, verify it runs):

NET LOCALGROUP Administrators groupname "ServerAdmins" /ADD > C:\GroupUpdate.log 2>&1

At least that way you'll get the file if it runs, and if you don't get the file, either the policy didn't apply (RSOP.msc or GPResult time), or the script is not running at all (check the policy you've set up).

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35701856
Oh and just to be sure...

You did do "Show Files" and add the script there, right? Then the script is just referenced by name in the Startup Script options box thing?

Sorry if it's a basic question, just making sure :)

Chris
0
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 2000 total points
ID: 35701934
Can you not use restricted groups to add the group?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:LateNiteR
ID: 35702357
No. i cannot use restricted groups as I need to retain the members which are already there on the servers.

I will add the log component (I figure "why not").

What I've been doing to check is using psexec to run:
psexec \\servername NET LOCALGROUP Administrators
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35704446
> No. i cannot use restricted groups as I need to retain the members which are already there on the servers.

You can do that if you use the MemberOf functionality instead of Member. It doesn't have to overwrite, it just depends on context.

You'd have to create a policy element for each of the groups you wanted to add to Administrators. e.g.

Group1   ->   MemberOf: Administrators
Group2   ->   MemberOf: Administrators

Then apply that policy to the servers you need in the usual manner.

Chris
0
 
LVL 3

Author Comment

by:LateNiteR
ID: 35705145
Hmmmm. The way I always understood it was that Restricted groups applied via GPO replace all members of the affected group. E.g., the local Administrator account gets removed as well, no?

Can't have that.
0
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 2000 total points
ID: 35705313
You can add the local administrator to the list of users/groups in the restricted groups.
0
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 2000 total points
ID: 35705319
0
 
LVL 3

Author Comment

by:LateNiteR
ID: 35709664
....sigh.  Many thanks.  As stated in the Blog, this is precisely how it should have been explained all along but never was.

Everyone is SO careful to outline the pitfalls it would seem that many (like myself) have long forgotten (or never realized) that this is a viable, working-as-designed, solution to adding groups. (Re)LEARNED SOMETHING TODAY! (Kewl)

My former company's AD script is likely a holdover from NT 4.0 days when GPOs didn't yet exist.  Hence, when I'd asked in the past, my queries about "...using GPOs to add members..." were largely brushed-off.

Restricted Groups are the way to go.

I was able to successfully run my NET LOCALGROUP script on our Win2008 servers (which are Post-NT 4.0 removal) while I kept getting a "The trust relationship between the primary domain and the trusted domain failed." error on the Windows 2003 Servers (part of the mixed NT 4.0 Environment).  Even validating the "Trusts" (which no longer exist) doesn't change the outcome.  Running NLTEST on the offending servers showed that everything was OK.

Many Thanks.  Problem Solved!
0
 
LVL 3

Author Closing Comment

by:LateNiteR
ID: 35709706
Restricted Groups worked like a charm.

When creating the CORRECT entry (read the blog as advised) in the GPO name the restricted group <Domain>\<ADGroup> while in the bottom box type in the LOCAL Servers group (e.g. - Administrators rather than <Servername>\Admin... as that would defeat the whole purpose of the exercise).
0
 
LVL 3

Author Comment

by:LateNiteR
ID: 35709723
To explain my point assignment.

....no kidding.  JMoody, I guess all three poss were yours.  My bad.

Good Times!

Thanks again everyone.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35709731
No problem for me, as long as you're set :)

Chris
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question