How to add group to local administrators without removing the existing groups

Hello everybody,

I'm in the computer migration process using ADMT.

The migration will take place between the Forest A to Forest B.

I'm having a big problem to include a group domain B (which will be the new domain that will receive the accounts of computers) in the Local Administrator group of computers that will be migrated.

I've tried to make the process with the GPO Restricted Groups using the option This group is a member of and users and other existing groups in the Local Administrator group is removed when the GPO is applied.

I've tried using the GPO Local Users and Groups in Computers\Preferences Control Panel Settings and when I add a group domain B Administrators from the group created in domain A the Administrators group is simply removed from the group.

I'm doing something wrong?

There is another way to solve this problem?
LVL 1
lucianolimaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
What level of authetication did you have between the two forest?

You will needd to Create a two-way, forest trust with forest-wide authentication.

regards
0
lucianolimaAuthor Commented:
Hello Emmanuel,

I have Two-way trust with Forest-Wide Authentication.

Do you have any other ideas of what can be?
0
Yusaf (Joe) Sneddon3rd Line Support EngineerCommented:
Obviously if the trust is in place i would use a PowerShell script >> https://gallery.technet.microsoft.com/scriptcenter/Add-AD-UserGroup-to-Local-fe5e9239

Also the group policy preferences should work although never tried via that method across domains, so are you adding it under preferences and setting it to update the local administrators group? and its just removing it?
0
lucianolimaAuthor Commented:
Hello everybody,

I solved the problem as follows:

I created a GPO and added a traditional .bat script in the Logon Script in User Configuration\Policies\Windows Settings\Scripts (Logon \ Logoff) the following command:

net localgroup "administrators" "domainname\domain admins" / add
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.