Search

Security

Question

Gravatar
Locked

how do I add a global security group to the local administrators group?

By dana ·
I need to add a global security group to the local administrators group on all my PCs (about 80) and am not sure how to do that.
I know about the "net localgroup administrators <domain>\<group name> /add" but that only works for the PC i'm on. I tried adding this to my script, but it doesn't work because the users don't have admin rights.
Is there a GUI program that will do this?
dana@amazingfacts.org
Thanks,
Dan

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
+ Follow this Discussion ·
| Thread display: Collapse - | Expand +

All Answers

gravatar
Collapse -

Use GPO

by A_L_E_X30 In reply to how do I add a global sec ...

Tye to run this script within GPO and run it under computer start up script
This scripts are running under the system account and not under user rights
You are wellcome
Alex

gravatar
Collapse -

Run the script as a startup, not login, script.

by Team503 In reply to how do I add a global sec ...

When you run a script as a login script, it executes with the user's permissions set. IE, if the user is not a local or domain admin, this command will fail. However, if you run the script as a startup script, it will run within the context of the SYSTEM account (which has administrative access) and execute successfully.

You should create a new Group Policy Object, add the script to the Computer Settings section of the GPO, then apply the GPO to the OU(s) containing your computer accounts. The script will take effect at reboot.

That should resolve your issue.

gravatar
Collapse -

PSTools

by rpugh6 In reply to Run the script as a start ...

You can also download PSTools. You can run psexec with the "net -----" command line. This will let you push this to a list of machines, domain machines or an individual machine.

gravatar
Collapse -

Reply on PSTools

by Grego1 In reply to PSTools

Can PSTools also push a user to an individual machine? In the local admin group? or is there another way to do this.

gravatar
Collapse -

Here is a simple vbs script

by john_e_wagner In reply to Reply on PSTools

Add this as a startup group policy script.

'Script to add Admin Group to Local Admin Group
'John Wagner
'20061120
'
'Beginning Of the Script

On Error Resume Next

'get main objects/variables

Set ws = WScript.CreateObject ( "WScript.Shell" )
compname = ws.ExpandEnvironmentStrings ( "%COMPUTERNAME%" )
Set AdminGroup = GetObject ( "WinNT://" & compname & "/Administrators,group" )

'add domain groups to local admin group
AdminGroup.Add ( "WinNT://domain/Desktop_Admin,group" )
'End of the Script

gravatar
Collapse -

well this seems to be nothing more than

by CG IT In reply to Here is a simple vbs scri ...

allowing local machine admin rights for domain users. Using a Global Security group to set permissions for users to gain administrative access to the local machine doesn't seem such a good idea. That means that anyone that is a member of the global security group has admin access locally provided that other permissions do not conflict. If they do, the most restrictive apply.

Back to Security Forum
7 total posts (Page 1 of 1)  

Start or search

Related Discussions

Related Forums