|
Next: Block file
|
| Author |
Message |
External
Since: Jul 16, 2007
Posts: 9
|
(Msg. 1) Posted: Tue Sep 25, 2007 4:54 am
Post subject: Adding a group to local admin group
Archived from groups: microsoft>public>windowsxp>security_admin (more info?)
|
|
|
Hello all, I need to add a security domain security group to all the PCs
local Administrators group within our network of just under 100 PCs.
Is there a way I can do this via some kind of script or even group policy?
I'm planning to it it individually using the computer management console but
as you, it will take quite a bit of time.
The aim is to make support issues with PCs much easier by being able to
login with a certain user account that will have local rights to all PCs
within our domain. At the moment, we login with the domain admin account
which is obviously bad practice.
Thanks |
|
| Back to top |
|
 | |
|
Lanwench [MVP - Exchange]
|
External
Since: Jun 15, 2007
Posts: 32
|
(Msg. 2) Posted: Tue Sep 25, 2007 9:14 am
Post subject: Re: Adding a group to local admin group [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Ally <Ally.DeleteThis@discussions.microsoft.com> wrote:
> Hello all, I need to add a security domain security group to all the
> PCs local Administrators group within our network of just under 100
> PCs.
Note that you'd probably be better off posting questions like this in
m.p.windows.server.active_directory or m.p.windows.group_policy.
>
> Is there a way I can do this via some kind of script
Yes, a simple batch file startup script applied via GPO to all workstations
(linked at the appropriate OU)...see below.
> or even group
> policy?
Yes - restricted groups are one way (but I personally don't use that)
> I'm planning to it it individually using the computer
> management console but as you, it will take quite a bit of time.
>
> The aim is to make support issues with PCs much easier by being able
> to login with a certain user account that will have local rights to
> all PCs within our domain. At the moment, we login with the domain
> admin account which is obviously bad practice.
>
> Thanks
Here's what I do -
* Create a domain user called something logical (I use "demigod" but you
could use whatever you like)
* Create an AD universal security group called LocalAdmin and make demigod a
member
* Create an AD universal security group called LocalPowerUser (don't need
any members right now but this can be handy too).
* Create an AD universal security group called RDUsers (for remote desktop
users)
The batch file would have this:
.........
net localgroup administrators DOMAIN\localadmin /add
net localgroup power users DOMAIN\localpoweruser /add
net localgroup remote desktop users DOMAIN\RDusers /add
.........
You can create/link a new GPO at the appropriate OU where your computers
live (if you haven't created custom ones, you'll need to - unless you're
using SBS, which creates its own hierarchy).
Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
(startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever
All the computers in this OU should have the startup script applied when
they restart, and you can now control all this at the server.
When I set up a new user, I often find I need to add their domain account to
LocalAdmin before I log in as them the first time to customize their
profile/install any sw that must be installed by the user him/herself (such
as PDA stuff) ...then I remove them from the domain LocalAdmin group when
done.
I use Demigod for software installs/etc.
NOTE: Restricted groups are often a better idea - but the reason I don't
like them is that they always override any locally-set group membership,
which is not always what I want. |
|
| Back to top |
|
| |
External
Since: Jul 16, 2007
Posts: 9
|
(Msg. 3) Posted: Wed Sep 26, 2007 9:12 am
Post subject: Re: Adding a group to local admin group [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
That works a treat Lanwench, thanks.
Just side question though, what does demigod mean/ stand for?
"Lanwench [MVP - Exchange]" wrote:
> Ally <Ally DeleteThis @discussions.microsoft.com> wrote:
> > Hello all, I need to add a security domain security group to all the
> > PCs local Administrators group within our network of just under 100
> > PCs.
>
> Note that you'd probably be better off posting questions like this in
> m.p.windows.server.active_directory or m.p.windows.group_policy.
> >
> > Is there a way I can do this via some kind of script
>
> Yes, a simple batch file startup script applied via GPO to all workstations
> (linked at the appropriate OU)...see below.
>
> > or even group
> > policy?
>
> Yes - restricted groups are one way (but I personally don't use that)
>
> > I'm planning to it it individually using the computer
> > management console but as you, it will take quite a bit of time.
> >
> > The aim is to make support issues with PCs much easier by being able
> > to login with a certain user account that will have local rights to
> > all PCs within our domain. At the moment, we login with the domain
> > admin account which is obviously bad practice.
> >
> > Thanks
>
> Here's what I do -
>
> * Create a domain user called something logical (I use "demigod" but you
> could use whatever you like)
> * Create an AD universal security group called LocalAdmin and make demigod a
> member
> * Create an AD universal security group called LocalPowerUser (don't need
> any members right now but this can be handy too).
> * Create an AD universal security group called RDUsers (for remote desktop
> users)
>
> The batch file would have this:
> .........
> net localgroup administrators DOMAIN\localadmin /add
> net localgroup power users DOMAIN\localpoweruser /add
> net localgroup remote desktop users DOMAIN\RDusers /add
> .........
>
>
> You can create/link a new GPO at the appropriate OU where your computers
> live (if you haven't created custom ones, you'll need to - unless you're
> using SBS, which creates its own hierarchy).
>
> Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
> (startup/shutdown)
> Double-click Startup, click Add
> Copy the batch file you created to the clipboard, then paste it in the
> window here
> Exit/apply/ok/finish whatever
>
> All the computers in this OU should have the startup script applied when
> they restart, and you can now control all this at the server.
>
> When I set up a new user, I often find I need to add their domain account to
> LocalAdmin before I log in as them the first time to customize their
> profile/install any sw that must be installed by the user him/herself (such
> as PDA stuff) ...then I remove them from the domain LocalAdmin group when
> done.
>
> I use Demigod for software installs/etc.
>
> NOTE: Restricted groups are often a better idea - but the reason I don't
> like them is that they always override any locally-set group membership,
> which is not always what I want.
>
>
>
>
>
> |
|
| Back to top |
|
| |
External
Since: Nov 11, 2005
Posts: 280
|
(Msg. 4) Posted: Wed Sep 26, 2007 9:49 am
Post subject: Re: Adding a group to local admin group [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Ally wrote:
> That works a treat Lanwench, thanks.
>
> Just side question though, what does demigod mean/ stand for?
From Dictionary.com (but a quick "define demigod" on Google would have
worked for you, too):
dem·i·god - noun
1. a mythological being who is partly divine and partly human; an
inferior deity.
2. deified mortal.
Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User |
|
| Back to top |
|
| |
External
Since: Sep 27, 2007
Posts: 1
|
(Msg. 5) Posted: Thu Sep 27, 2007 5:18 am
Post subject: Re: Adding a group to local admin group [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
"Lanwench [MVP - Exchange]" wrote:
> Ally <Ally.TakeThisOut@discussions.microsoft.com> wrote:
> > Hello all, I need to add a security domain security group to all the
> > PCs local Administrators group within our network of just under 100
> > PCs.
>
> Note that you'd probably be better off posting questions like this in
> m.p.windows.server.active_directory or m.p.windows.group_policy.
> >
> > Is there a way I can do this via some kind of script
>
> Yes, a simple batch file startup script applied via GPO to all workstations
> (linked at the appropriate OU)...see below.
>
> > or even group
> > policy?
>
> Yes - restricted groups are one way (but I personally don't use that)
>
> > I'm planning to it it individually using the computer
> > management console but as you, it will take quite a bit of time.
> >
> > The aim is to make support issues with PCs much easier by being able
> > to login with a certain user account that will have local rights to
> > all PCs within our domain. At the moment, we login with the domain
> > admin account which is obviously bad practice.
> >
> > Thanks
>
> Here's what I do -
>
> * Create a domain user called something logical (I use "demigod" but you
> could use whatever you like)
> * Create an AD universal security group called LocalAdmin and make demigod a
> member
> * Create an AD universal security group called LocalPowerUser (don't need
> any members right now but this can be handy too).
> * Create an AD universal security group called RDUsers (for remote desktop
> users)
>
> The batch file would have this:
> .........
> net localgroup administrators DOMAIN\localadmin /add
> net localgroup power users DOMAIN\localpoweruser /add
> net localgroup remote desktop users DOMAIN\RDusers /add
> .........
>
>
> You can create/link a new GPO at the appropriate OU where your computers
> live (if you haven't created custom ones, you'll need to - unless you're
> using SBS, which creates its own hierarchy).
>
> Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
> (startup/shutdown)
> Double-click Startup, click Add
> Copy the batch file you created to the clipboard, then paste it in the
> window here
> Exit/apply/ok/finish whatever
>
> All the computers in this OU should have the startup script applied when
> they restart, and you can now control all this at the server.
>
> When I set up a new user, I often find I need to add their domain account to
> LocalAdmin before I log in as them the first time to customize their
> profile/install any sw that must be installed by the user him/herself (such
> as PDA stuff) ...then I remove them from the domain LocalAdmin group when
> done.
>
> I use Demigod for software installs/etc.
>
> NOTE: Restricted groups are often a better idea - but the reason I don't
> like them is that they always override any locally-set group membership,
> which is not always what I want.
>
>
>
>
>
> |
|
| Back to top |
|
| |
| Related Topics: | Local Computer Group Policy - I'm trying to lock down different areas of Windows XP by using the Administrative Templates. (I.E. hide c: remove control panel...) But when I do it, it applies to all users including administrators. Is there a way to exempt administrative accounts so...
HOW TO SET UP A GROUP FOR LOCAL ADMINISTRATORS? - I'M CONFUSED WITH THE "Net Localgroup" procedures. I want to set up a Domain users group that will be only Local Administrators on Local computers - romaing accounts are involved. When I look at the "net localgroup" I do not know...
multiple group - hi
Funny group :-) - Been reading this group ... I notice that many people ask questions and never return. I hope that means the answers fixed them :-) Q.
Group Policy Issue - Hi, Upgrading our workstations to WinXP from Win2K. Have a test machine in my office to see how it would handle our standard hardware. As part of the test I had a GP to install Office and apply some settings. This all worked fine. A couple of weeks.... |
|
You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum
|
|
|
|
Hot
Bloated Email? DetachPipe for Outlook
Mac
Linux
Games
PDA
Mobile
FAQ
Search
Profile
Private Messages
Log in
Windows Forums
RSS