Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

adding a global group to the local administrators through a group policy

2 views
Skip to first unread message

Xavier

unread,
Feb 3, 2004, 3:41:25 AM2/3/04
to
Situation:

our PC's have all a local administrators group which contains different
specified users (depending on the users who will use the PC).

Now we want to add one global group to the local administrators group
through a group policy *without* overwriting the current content of the
local administrators group (just add the group to the existing content). I
don't succeed in it, so could someone help me out?

TIA,

Xavier


Chriss3

unread,
Feb 3, 2004, 4:21:08 AM2/3/04
to
Assign the follow script as an Logon Script within a Group Policy, i hope
that helps. Members in your Global Group "Your Global Group" will be added
to the local administrators group during logon.

Dim net, DomainString, UserString, UserObj

set net = Wscript.CreateObject("Wscript.Network")

strComputer = "."
DomainString = net.UserDomain
UserString = net.UserName


Set objDomainUser = GetObject("WinNT://" & DomainString & "/" & UserString)


For Each ObjGroup In UserObj.Groups
Select Case GroupObj.Name

Case "Your Global Group"

Set objLocalGroup = GetObject("WinNT://" & strComputer &
"/Administrators,group")
objGroup.Add(objDomainUser.ADsPath)

End Select
Next

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

"Xavier" <xdepoorter...@hotmail.com> skrev i meddelandet
news:%23MaAGGj...@TK2MSFTNGP11.phx.gbl...

Marcus

unread,
Feb 3, 2004, 5:06:06 AM2/3/04
to
Try the following:

Create a batch file which you inlcude in a startup script
of the machine part of your policy.

The batch file should include the following command:

net localgroup "Administrators" "x\y" /add

where x is the Pre-W2K Domain Name of your domain and "y"
is the global group name.

>.
>

Charlie

unread,
Feb 8, 2004, 2:08:41 PM2/8/04
to
There is an easy way to do this IF -
1. The computers that apply are Windows 2000 with service
pack 4.
2. The computers that apply are Windows XP with a fix
(810076). The fix will be part of XP SP2 but that won't
be out for a while. Unfortunately you have to contact MS
to get that fix.
Anyway, once that part is taken care of, you can
use "Reverse" Restricted Groups to get it done.
On any machine (besides a domain controller) that meets
the above standards and is in the container that the GPO
applies to, go to Restricted Groups under Computer
Policy. Right click on the node and choose "Add Group".
Browse to the Global Group in the domain that you want to
be in the local Admins group. In the top section you will
need to add the members that you want to belong to the
Global Group. You need to do this or you will remove all
existing members from the group. In the bottom section,
click the Add button but DO NOT click the browse button,
just type "Administrators" in the Group field. This will
affect every computer in the container that the local
machine belongs to AS LONG AS EACH MACHINE MEETS THE
CRITERIA MENTIONED AT THE TOP. The designated global
group will be in the Administrators group on each 2K, XP,
2K3 machine (workstation or member server) but no existing
members will be removed from the Administrators group.
Keep in mind that after you make your Global Group
restricted, you won't be able to use AD Users and
Computers to add members to it. You'll need to use
Restricted Groups in the GP Editor.
Good luck.
>.
>
0 new messages