How to Add Domain Account on Local Administrator Group

Hi Member,
I am going to perform intraforest migration and i m using ADMT V3.2

For ADMT V3.2 there is below mention requirement

I need to add target "admin" id on every local machine administrator group to fullfill this requirment of Active directory migration i found one way which is restricted group feature but problem is that we have some users whose are on this local administrator group already on local machines because some applications need admin rights so kindly tell me any idea how can i add my target domain user to local machine administrator group

Thanks & Regards
Osama Mansoor
LVL 6
infoplateformAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Philip ElderTechnical Architect - HA/Compute/StorageCommented:
You can use Group Policy Preferences to deliver an AD account to the Local Admin group on the applicable machines.

Group Policy Client Side Extensions need to be installed on Vista and below to accept the GPPref delivered changes.

It is a machine level GPPref so GPUpdate /Force plus reboot or 90 minutes to take plus a reboot.

Philip
SandeshdubeySenior Server EngineerCommented:
Instead, there is a much easier way to accomplish what you want:
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.

Instead of group you can mention userid as below
NET localgroup Administrators /add "domain_name\domain_Userid"

You can also use restricted group GPO,refer this link:http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

Hope this helps
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

infoplateformAuthor Commented:
Members,

I have Tried to through restricted group but problem is that some users who have added in administrator group of local machine removed after applying restricted group GPO

and

NET localgroup Administrators /add "domain_name\domain_Userid

Save as localadmin.bat

and add on startup script but not working


Kindly Help ?

Regards,
Osama Mansoor
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
You can configure the GPPrefs to add, change membership, or even remove all users in the group.

Philip
SandeshdubeySenior Server EngineerCommented:
NET localgroup Administrators /add "domain_name\domain_Userid" should work
check the script is placed in sysvol share folder.

Refer below link for how to apply startup script.
http://www.petri.co.il/setting-up-logon-script-through-gpo-windows-server-2008.htm
http://support.microsoft.com/kb/198642

Also check disable the fast logon by GPO and check:
http://support.microsoft.com/kb/305293

Hope this helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
infoplateformAuthor Commented:
Thanks For you Always Help But my problem resolved by Following method

Using GPO From Target Domain :

The command for the batch file that would be the startup script would be:

net localgroup administrators DOMAIN\UserName /add


Save as VBScript.bat


Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.