• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 715
  • Last Modified:

Add AD Group into Local Administrators Group on Server 2003 via GP & Startup Script

I remember this being SO simple:

1)
Create a NET LOCALGROUP .bat/.cmd script

NET LOCALGROUP Administrators groupname "ServerAdmins" /ADD

2)  In Group Policy Management select the OU where you want the GPO to be applied
3)  Create "...new GPO and Link it here..." named <AddSrvAdmToLocal>
4)  Edit this GPO by modifying the Computer Config | Policies | Windows Settings | Scripts Item
5)  Open the Startup script object in the right pane and click add to choose the script to run when the computer starts up.
6)  Close editor and add impacted devices under the Scope tab of the GPO (e.g. - Domain Computers)
      a. in this case I have specifically chosen a couple of non-production servers and added those.

Doing Group Policy Modeling shows the GPO as being applied.

However, when I reboot the two servers nothing happens.  The group does not get added.

Something in the back of my mind tells me that I am missing something but I can't for the life of me think of what it might be.
0
LateNiteR
Asked:
LateNiteR
  • 5
  • 4
  • 3
3 Solutions
 
Chris DentPowerShell DeveloperCommented:
Perhaps see what it throws (and at the same time, verify it runs):

NET LOCALGROUP Administrators groupname "ServerAdmins" /ADD > C:\GroupUpdate.log 2>&1

At least that way you'll get the file if it runs, and if you don't get the file, either the policy didn't apply (RSOP.msc or GPResult time), or the script is not running at all (check the policy you've set up).

Chris
0
 
Chris DentPowerShell DeveloperCommented:
Oh and just to be sure...

You did do "Show Files" and add the script there, right? Then the script is just referenced by name in the Startup Script options box thing?

Sorry if it's a basic question, just making sure :)

Chris
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Can you not use restricted groups to add the group?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
LateNiteRAuthor Commented:
No. i cannot use restricted groups as I need to retain the members which are already there on the servers.

I will add the log component (I figure "why not").

What I've been doing to check is using psexec to run:
psexec \\servername NET LOCALGROUP Administrators
0
 
Chris DentPowerShell DeveloperCommented:
> No. i cannot use restricted groups as I need to retain the members which are already there on the servers.

You can do that if you use the MemberOf functionality instead of Member. It doesn't have to overwrite, it just depends on context.

You'd have to create a policy element for each of the groups you wanted to add to Administrators. e.g.

Group1   ->   MemberOf: Administrators
Group2   ->   MemberOf: Administrators

Then apply that policy to the servers you need in the usual manner.

Chris
0
 
LateNiteRAuthor Commented:
Hmmmm. The way I always understood it was that Restricted groups applied via GPO replace all members of the affected group. E.g., the local Administrator account gets removed as well, no?

Can't have that.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
You can add the local administrator to the list of users/groups in the restricted groups.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
0
 
LateNiteRAuthor Commented:
....sigh.  Many thanks.  As stated in the Blog, this is precisely how it should have been explained all along but never was.

Everyone is SO careful to outline the pitfalls it would seem that many (like myself) have long forgotten (or never realized) that this is a viable, working-as-designed, solution to adding groups. (Re)LEARNED SOMETHING TODAY! (Kewl)

My former company's AD script is likely a holdover from NT 4.0 days when GPOs didn't yet exist.  Hence, when I'd asked in the past, my queries about "...using GPOs to add members..." were largely brushed-off.

Restricted Groups are the way to go.

I was able to successfully run my NET LOCALGROUP script on our Win2008 servers (which are Post-NT 4.0 removal) while I kept getting a "The trust relationship between the primary domain and the trusted domain failed." error on the Windows 2003 Servers (part of the mixed NT 4.0 Environment).  Even validating the "Trusts" (which no longer exist) doesn't change the outcome.  Running NLTEST on the offending servers showed that everything was OK.

Many Thanks.  Problem Solved!
0
 
LateNiteRAuthor Commented:
Restricted Groups worked like a charm.

When creating the CORRECT entry (read the blog as advised) in the GPO name the restricted group <Domain>\<ADGroup> while in the bottom box type in the LOCAL Servers group (e.g. - Administrators rather than <Servername>\Admin... as that would defeat the whole purpose of the exercise).
0
 
LateNiteRAuthor Commented:
To explain my point assignment.

....no kidding.  JMoody, I guess all three poss were yours.  My bad.

Good Times!

Thanks again everyone.
0
 
Chris DentPowerShell DeveloperCommented:
No problem for me, as long as you're set :)

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now