Solved

Add Domain users to LocalGroup in remote Windows Servers

Posted on 2013-12-26
8
50 Views
1 Endorsement
Last Modified: 2015-08-15
Hi,
I would like to add few Domain user and Local users in Local Group of multiple servers.
I want to do this task via a script (VBS or any command line batch files) remotely from one servers without installing any additional tools.  The remote servers are combination of Windows 2000, Windows 2003, windows 2008. Thank You
1
Comment
Question by:GodMother
8 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 39739757
0
 

Author Comment

by:GodMother
ID: 39739765
How to add a domain user to local admin group in multiple remote computers please.

for example: I have users as  DOMAIN-A\User1,  DOMAIN-A\User2
And I need to add above users to Local Administrators group in ComputerA, ComputerB, ComputersC etc...
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39739843
Create one global group in domain
Add all required domain users in this group

Create a simple batch file like this:
net localgroup administrators domain\group /add

Replace domain with your domain NetBIOS name and group with one created above

create one OU and move all client computers to that OU and apply new GPO on this OU
In GPO, configure above code as computer startup batch script, so that when client computers get rebooted next time the above group will automatically added to local administrators group on all client computers in OU

Alternatively you can use GPO restricted group feature to achieve same results
Only thing you need to add domain admins group as well in addition to above group
http://myitforum.com/cs2/blogs/rdixon/archive/2008/06/17/how-to-add-domain-accounts-to-local-administrators-group-using-gpo.aspx

Mahesh
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 39739859
I have used restricted group in production environment to add desktop engineers as local administrator on clients PC.

Create a group in AD, add all the users to group.
Create a GPO, Add the newly created group in Restricted groups and add the "Administrators" in "This group is member of" check attached screenshot.

attach the policy to computers container OU.
Run gpupdate /force and the group will be a part of "Local Administrators" group.
You cannot attach to the default computer container in AD. you will need to create a new OU and move all computer accounts there.


Note: Best is to use redir cmp, so that any new computer accounts goes to new OU. A complete different topic to discuss on it.
SCAP-0005.png
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 12

Expert Comment

by:Dave
ID: 39739863
Its generally not a great idea to add individual users to local groups on servers. If you do then when the users leave and you remove their accounts you get "hanging SIDS" when you look at those group membership lists on the servers.

I would always create a group on the Domain and add the users to that group.

I would then use the "restricted groups" feature of group policy to control membership of the admins group. If you use the startup script the membership is not reset until a re-boot. If its set via policy the policy is re-applied at regular intervals. This means if some one tampers its fixed much sooner.
0
 

Author Comment

by:GodMother
ID: 40025644
I do not have domain administrator privileges, but only local admin to my servers. And there still workgroup model servers in my environment due to the need of applications.
That why domain level will not work fully for me. From all the valuable inputs from different experts, I feel it is what I need to do manually or using simple batch files using net user command.
0
 

Author Comment

by:GodMother
ID: 40867265
Seems so far there is no option to address my query. request please close the question.
0
 
LVL 12

Accepted Solution

by:
Dave earned 200 total points
ID: 40867267
If the questioner had stated at the start that:-

I do not have domain administrator privileges, but only local admin to my servers. And there still workgroup model servers in my environment due to the need of applications.
 That why domain level will not work fully for me.  

at the beginning then we could have said quickly that as he says:-

From all the valuable inputs from different experts, I feel it is what I need to do manually or using simple batch files using net user command.

workgroup servers can't easily be remotely managed.  He could use the PSEXEC tool:-

https://technet.microsoft.com/en-us/sysinternals/bb897553

to run the scripts on the remote servers.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
windows 7 system recovery 5 65
Could not intialize the Java virtual machine 5 50
Restricting Domain Admin Accounts 4 47
pinned files stuck win 8.1 6 28
This article describes how to set permissions to allow a limited-permissions user to start and stop a particular System Service.   It is always best to give users only the permissions that they need to perform their job, so tweaking particular permi…
The way I use Experts Exchange to assist me in analyzing and diagnosing a problem is I first enter a Verbose Question at Experts Exchange like: Office 2007 will hang when opening and saving files I then launch WordPad (any text editor will do) an…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now