Push domain account into Local computer user group?

8 Feb 2006 9:43 PM

Transam388

Not sure if this is an AD or Group policy but thought it may have to do with
AD. Here is the question. We have an instance where A person needs to have
their domain account added to many computers within the domain as a local
admin. Is there a way to push to a group of computers that meet a certain
name criteria and say add a specific domain account and or accounts into
certain local groups on those computers? Thanks!

9 Feb 2006 4:22 AM

Lanwench [MVP - Exchange]

In news:E0B98290-FBBB-4499-B924-7AB9DBFE205F@microsoft.com,

Transam388 <Transam***@discussions.microsoft.com> typed:

> Not sure if this is an AD or Group policy but thought it may have to
> do with AD. Here is the question. We have an instance where A
> person needs to have their domain account added to many computers
> within the domain as a local admin. Is there a way to push to a
> group of computers that meet a certain name criteria and say add a
> specific domain account and or accounts into certain local groups on
> those computers? Thanks!

I like to create an AD group called "Local Admins" and add it to the local
administrators group....that way, all you have to do is add the domain user
to that group, in one place.

W/r/t how to add that AD group to the local admins group? Could use a
startup script - and the 'net localgroup administrators DOMAINNAME\group
/add '
command.

9 Feb 2006 12:49 PM

Transam388

Thanks for the insight! Is it possible though to set a condition on this?
Like if the computer name starts with XYZ then add this user to local admins
but not to any other computers.? Thanks!

Show quoteHide quote

"Lanwench [MVP - Exchange]" wrote:

>
>
> In news:E0B98290-FBBB-4499-B924-7AB9DBFE205F@microsoft.com,
> Transam388 <Transam***@discussions.microsoft.com> typed:
> > Not sure if this is an AD or Group policy but thought it may have to
> > do with AD. Here is the question. We have an instance where A
> > person needs to have their domain account added to many computers
> > within the domain as a local admin. Is there a way to push to a
> > group of computers that meet a certain name criteria and say add a
> > specific domain account and or accounts into certain local groups on
> > those computers? Thanks!
>
> I like to create an AD group called "Local Admins" and add it to the local
> administrators group....that way, all you have to do is add the domain user
> to that group, in one place.
>
> W/r/t how to add that AD group to the local admins group? Could use a
> startup script - and the 'net localgroup administrators DOMAINNAME\group
> /add '
> command.
>
>
>
>

11 Feb 2006 3:13 AM

Cary Shultz

In addition to what Lanwench suggested, I might suggest that you look into
something known as Restrictive Groups. This is something that you set up
via Group Policy. The advantage that you have using this group over other
methods is that once this GPO is set no other objects (be it user account
objects or group objects) can be added to the 'focus local group' - in your
case, the local Administrators group. This can be a good thing or it can be
a deal breaker.

Now, one of the key tactics to take in doing this is to do it from an Admin
workstation and not directly on a Domain Controller. If you do this on a
Domain Controller you might have a bit of a problem. It is not so
'Admin-friendly'.

Be aware that the default behavior of the Restrictive Group GPO is to remove
all the current members of the 'focus local group' and to replace it with
the group that you specify in the GPO. Make sure that you include the
Domain Admins security group in addition to whatever 'home-brewed' group
that you might create for this GPO.

Here are a couple of MSKB Links for you:

http://support.microsoft.com/?id=320065
http://support.microsoft.com/?id=810076

The second link you take you to the page that will show you how to change
the default behavior. It includes a phone call to MS-PSS. No worries, you
will not need to pay. Just make sure that you get the right patch....there
is one for WIN2000 and there is one for WINXP.

If you want it to apply to specific computers but not to others then you
might want to look into WMI Filtering. You would need to use the GPMC to do
this and your WIN2003 Domain and Forest Functional Levels need to be
appropriate.

Here are a couple of links:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpmcinad.mspx
http://technet2.microsoft.com/WindowsServer/en/Library/b44ba1b5-9f85-4bee-84c9-1994921658cd1033.mspx

The second link will give you a start on how you would create the WMI
Filter.

As a heads up, the WMI Filter could look something like this:

Select * FROM Win32_ComputerSystem WHERE Name != "WS001" AND Name != "WS002"
AND Name != "WS003"

This way, even though there might be 500 computer account objects in the OU
to which you link this GPO (it is configured on the computer configuration
side of things) it will only be processed by the three computers that you
specifically mentioned in the WMI Filter. Obviously, this could get a
little hairy if you have a lot of computer account objects. Not sure what
the physical limit is. I would not want to have to manage this filter if
there were more than, say, 40 or 50.

Does this help?

And to give credit where credit is due the WMI Filter that I included is
from Matt Clark.

--
Cary W. Shultz
Roanoke, VA 24012

Show quoteHide quote

"Transam388" <Transam***@discussions.microsoft.com> wrote in message
news:E0B98290-FBBB-4499-B924-7AB9DBFE205F@microsoft.com...
> Not sure if this is an AD or Group policy but thought it may have to do
> with
> AD. Here is the question. We have an instance where A person needs to
> have
> their domain account added to many computers within the domain as a local
> admin. Is there a way to push to a group of computers that meet a certain
> name criteria and say add a specific domain account and or accounts into
> certain local groups on those computers? Thanks!