Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Adding User ID in Local Admin Group using Group Policy

1 view
Skip to first unread message

Ahmad M. Zahoory

unread,
Oct 2, 2006, 10:33:02 AM10/2/06
to
Hi,

We have ACtive Directory 2003 & also implemented the Group Policy.
We want to add one Specific User ID on all the workstation's Local Admin
(but not using the domain admin).
Pl. help us how we can implement this.

--
Regards,
Ahmad M. Zahoory

E-mail: ahmad....@gmail.com

Roger Abell [MVP]

unread,
Oct 2, 2006, 11:02:25 AM10/2/06
to
http://support.microsoft.com/kb/810076

"Ahmad M. Zahoory" <Ah...@community.nospam> wrote in message
news:FD2977EB-718D-454A...@microsoft.com...

PC

unread,
Oct 3, 2006, 3:21:02 PM10/3/06
to
This has been asked a million times and there is no clean solution, but this
does work.

If you want to add and RESTRICT (unable to modify the membership locally) of
the administrators group, use restricted groups. However, most people don't
desire this behavior because it removes everyone else from the local
administrator's group.

If you just want to add to the local administrators group and leave existing
membership alone, use GP to run a computer startup script (NOT USER), and
only give domain computers access to the startup script file.

In computerstartupscript.cmd place:

net localgroup Administrators /add "domain\WKST Admin (SEC)". Please note
the limitation (undocumented bug) of 13-15 characters or so in group name
length for groups maniupulated using the net localgroup tool. Overwise it
will silently fail if the group name is too long even though it is valid in
Windows. Use a short group name.

This global group will now be a local admin on all your machines on reboot.
You can simply add desired users to the global group in Active Directory.

Another useful one -- reset the local admin password while you're at it, but
be sure to restrict access to the login script to domain computers if you do
this, otherwise it's not of much use!

net user administrator newlocaladminpasswordhere

Roger Abell [MVP]

unread,
Oct 3, 2006, 9:05:23 PM10/3/06
to

"PC" <P...@discussions.microsoft.com> wrote in message
news:D7101673-E4D9-4B30...@microsoft.com...

> This has been asked a million times and there is no clean solution, but
> this
> does work.
>
> If you want to add and RESTRICT (unable to modify the membership locally)
> of
> the administrators group, use restricted groups. However, most people
> don't
> desire this behavior because it removes everyone else from the local
> administrator's group.
>

Ummm - perhaps you should read the KB to which I provided a link
http://support.microsoft.com/kb/810076

Notice that, applied to case of this poster, one would define a
domain group, such as "ClientAdm", and then in a GPO with
the impacted client machines in its scope define a restricted
group definition for ClientAdm. In this restricted group definition
one would not (need to) use the Members list, but would add
Administrators to the Member-Of list.
The effect is that ClientAdm is added to the Administrators group
on machines in scope of the GPO, and no members already in
the Administrators group see any change (there remain members).

This solution became available with W2k Sp4 and Xp Sp2.

Roger

PC

unread,
Oct 4, 2006, 3:26:02 AM10/4/06
to
Sorry, I did not know this. I did lots of painful research about this and
finally performed the workaround I posted in this article for our
organization. Of course, this was prior to SP2 when this could only be
accomplished with the undesirable restricted groups/members and I never went
back and relooked at it.

Thanks!

0 new messages