We help IT Professionals succeed at work.
Troubleshooting Question

How can I add a domain user to the local admin group on all clients in the domain without wiping out all of the current users in the group

71 Views
Last Modified: 2020-10-21
How can I add a domain user to the local admin group on all clients in the domain without wiping out all of the current users in the group.

I have read that using a GPO with the
"restricted Groups" setting will delete all of the current users in the local admin group.

We have set up a short C# script that will use msg.exe to pop ip a window to all computers in the domain, but for the admin personnell to use it they must be a local admin on the local computer ans we do not want to add them to the domain admin group.
Comment
Watch Question

Patrick WrigleyNetwork Manager

Author

Commented:
Is there a way to create a limited admin group in AD with permissions to run a specific .exe (msg.exe) on any computer on the domain.
James RankinMedia Hound
CERTIFIED EXPERT

Commented:
Group Policy Preferences Local Users and Groups has an option to append users to a local group
Patrick WrigleyNetwork Manager

Author

Commented:
All I see under The new GPO -->Computer Management-->Prefrences-->Control Panel Settings-->Local Users and groups

New local user then I have

Action:
Create
Update
Replace
Delete
but Create was killed by MS in May I have read,
James RankinMedia Hound
CERTIFIED EXPERT

Commented:
You need New Local Group. Use Replace and it will work fine to append a user to the group selected.
kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
How is msg.exe being restricted now? 
Patrick WrigleyNetwork Manager

Author

Commented:
I did a new local group-->create

should I have done a replace instead?

There is no local group with the AD group name I created.
James RankinMedia Hound
CERTIFIED EXPERT

Commented:
I thought you wanted to add a user to the Administrators group? Why are you creating a new one?
Patrick WrigleyNetwork Manager

Author

Commented:
I was hoping to add an AD group to the local administrators group.

Patrick WrigleyNetwork Manager

Author

Commented:
I was hoping to add an AD group to the local administrators group.
I created a Urgent)Msg group in AD and would like to add the group to the local administrators group on client machines
Patrick WrigleyNetwork Manager

Author

Commented:
I was hoping to add an AD group to the local administrators group.
I created a Urgent)Msg group in AD and would like to add the group to the local administrators group on client machines
James RankinMedia Hound
CERTIFIED EXPERT

Commented:
Ok, so do New Local Group, make it Administrators, add the domain group to it and set the options so it doesn't remove existing users or groups. Apply it to the target devices and it will take effect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
1st: don't add a user account as global admin. That is very, very dangerous, no matter how long its password is.
Please refer to my article for a safe support user setup: https://www.experts-exchange.com/articles/18180/A-concept-for-safe-user-support.html 
2nd: restricted groups can be used, after all. You can use two options within: one wipes the admin group, while the other does not. Of course, group policy preferences is another way.
Patrick WrigleyNetwork Manager

Author

Commented:
Good morning as A test I did the following.

New GPO --> computer config-->Prefrences-->Local Users and Groups--> New Group--.named new Group 'Guests"--> added domain users to the group-->did not choose "Delete all member users" or "Delete all emmber groups"--> action=create-->choose apply.

Ran gpupdate /force on client and the Guests group did not have the new members in it.
James RankinMedia Hound
CERTIFIED EXPERT

Commented:
use Replace. Create means "do nothing" if the group already exists, and there is *always* a Guests group
Patrick WrigleyNetwork Manager

Author

Commented:
James RankinMedia Hound
CERTIFIED EXPERT

Commented:
Did you type Guests in or select from the list? Because it should say "built-in" after it like below if you selected it from the drop-down list 


Patrick WrigleyNetwork Manager

Author

Commented:
no I typed guests in I will try try the dropdown and use the builtin

Patrick WrigleyNetwork Manager

Author

Commented:
do i need to set something in the rename to field?
James RankinMedia Hound
CERTIFIED EXPERT

Commented:
Don't bother with Guests, apparently you can't use GPP on that group - 
Patrick WrigleyNetwork Manager

Author

Commented:
Patrick WrigleyNetwork Manager

Author

Commented:
ahh ok i will use another group, i will try power users
James RankinMedia Hound
CERTIFIED EXPERT

Commented:
Works on the built-in Administrators group though - and for the record, I used Update here rather than Replace


Media Hound
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Be aware that this will be liked by hackers. Havin global admin accounts is a security no-go.
Patrick WrigleyNetwork Manager

Author

Commented:
We are trying to use msg.exe to be able to send urgent messages to all endpoints in the domain but you have to be a local admin to send them. it sucks. netsend would be a much better solution.

BUT msg.exe sends a pop up message that appears on top of all open windows, and even on top of the log in screen so it is a perfect solution with this one very notable exception.



Patrick WrigleyNetwork Manager

Author

Commented:
I really wish that there was another way to run msg.exe to all domian endpoints

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Create a scheduled task to be deployed anywhere that digest messages from a server based file once every minute. Done. No danger at all, almost as good.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION