Join or sign in Register for your free TechRepublic membership or if you are already a member, sign in using your preferred method below. Use Your Email Use FacebookUse Linkedin

how do I add a global security group to the local administrators group?

Locked

I need to add a global security group to the local administrators group on all my PCs (about 80) and am not sure how to do that.
I know about the “net localgroup administrators \ /add” but that only works for the PC i’m on. I tried adding this to my script, but it doesn’t work because the users don’t have admin rights.
Is there a GUI program that will do this?
dana@amazingfacts.org
Thanks,
Dan

Topic

Clarifications

In reply to how do I add a global security group to the local administrators group?

Clarifications

Use GPO

In reply to how do I add a global security group to the local administrators group?

Tye to run this script within GPO and run it under computer start up script
This scripts are running under the system account and not under user rights
You are wellcome
Alex

Run the script as a startup, not login, script.

In reply to how do I add a global security group to the local administrators group?

When you run a script as a login script, it executes with the user’s permissions set. IE, if the user is not a local or domain admin, this command will fail. However, if you run the script as a startup script, it will run within the context of the SYSTEM account (which has administrative access) and execute successfully.

You should create a new Group Policy Object, add the script to the Computer Settings section of the GPO, then apply the GPO to the OU(s) containing your computer accounts. The script will take effect at reboot.

That should resolve your issue.

PSTools

In reply to Run the script as a startup, not login, script.

You can also download PSTools. You can run psexec with the “net —–” command line. This will let you push this to a list of machines, domain machines or an individual machine.

Reply on PSTools

In reply to PSTools

Can PSTools also push a user to an individual machine? In the local admin group? or is there another way to do this.

Here is a simple vbs script

In reply to Reply on PSTools

Add this as a startup group policy script.

‘Script to add Admin Group to Local Admin Group
‘John Wagner
‘20061120
‘
‘Beginning Of the Script

On Error Resume Next

‘get main objects/variables

Set ws = WScript.CreateObject ( “WScript.Shell” )
compname = ws.ExpandEnvironmentStrings ( “%COMPUTERNAME%” )
Set AdminGroup = GetObject ( “WinNT://” & compname & “/Administrators,group” )

‘add domain groups to local admin group
AdminGroup.Add ( “WinNT://domain/Desktop_Admin,group” )
‘End of the Script

well this seems to be nothing more than

In reply to Here is a simple vbs script

allowing local machine admin rights for domain users. Using a Global Security group to set permissions for users to gain administrative access to the local machine doesn’t seem such a good idea. That means that anyone that is a member of the global security group has admin access locally provided that other permissions do not conflict. If they do, the most restrictive apply.

[Author]

Replies