We help IT Professionals succeed at work.

How to Add Domain Account on Local Administrator Group

infoplateform
infoplateform asked
on
Hi Member,
I am going to perform intraforest migration and i m using ADMT V3.2

For ADMT V3.2 there is below mention requirement

I need to add target "admin" id on every local machine administrator group to fullfill this requirment of Active directory migration i found one way which is restricted group feature but problem is that we have some users whose are on this local administrator group already on local machines because some applications need admin rights so kindly tell me any idea how can i add my target domain user to local machine administrator group

Thanks & Regards
Osama Mansoor
Comment
Watch Question

Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
You can use Group Policy Preferences to deliver an AD account to the Local Admin group on the applicable machines.

Group Policy Client Side Extensions need to be installed on Vista and below to accept the GPPref delivered changes.

It is a machine level GPPref so GPUpdate /Force plus reboot or 90 minutes to take plus a reboot.

Philip
Sandesh DubeyTechnical Lead
Top Expert 2011

Commented:
Instead, there is a much easier way to accomplish what you want:
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.

Instead of group you can mention userid as below
NET localgroup Administrators /add "domain_name\domain_Userid"

You can also use restricted group GPO,refer this link:http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

Hope this helps

Author

Commented:
Members,

I have Tried to through restricted group but problem is that some users who have added in administrator group of local machine removed after applying restricted group GPO

and

NET localgroup Administrators /add "domain_name\domain_Userid

Save as localadmin.bat

and add on startup script but not working


Kindly Help ?

Regards,
Osama Mansoor
Philip ElderTechnical Architect - HA/Compute/Storage

Commented:
You can configure the GPPrefs to add, change membership, or even remove all users in the group.

Philip
Technical Lead
Top Expert 2011
Commented:
NET localgroup Administrators /add "domain_name\domain_Userid" should work
check the script is placed in sysvol share folder.

Refer below link for how to apply startup script.
http://www.petri.co.il/setting-up-logon-script-through-gpo-windows-server-2008.htm
http://support.microsoft.com/kb/198642

Also check disable the fast logon by GPO and check:
http://support.microsoft.com/kb/305293

Hope this helps.

Author

Commented:
Thanks For you Always Help But my problem resolved by Following method

Using GPO From Target Domain :

The command for the batch file that would be the startup script would be:

net localgroup administrators DOMAIN\UserName /add


Save as VBScript.bat


Thanks