Domain restructuring on TOP of organizational restructuring...ARGH.
December 8, 2006 6:22 AM Subscribe
Windows SysAdmin question: I need to add a global security group to the local admin group on machines in multiple OUs. Any ideas?
Due to some restructuring, the current OU Admin group will be abandoned, and a new OU admin group will be implemented. I can't seem to sort out a decent solution to add the new group. Ideally, I would love to be able to turf the old group too, once the transition is complete.
I have some experience with both batch files, and some vbscripting, but most scripts seem to only deal with adding LOCAL users to LOCAL groups, or DOMAIN users to DOMAIN groups. I need to mix the two.
A small follow up might be...can you recommend any good web resources for this sort of thing?
Due to some restructuring, the current OU Admin group will be abandoned, and a new OU admin group will be implemented. I can't seem to sort out a decent solution to add the new group. Ideally, I would love to be able to turf the old group too, once the transition is complete.
I have some experience with both batch files, and some vbscripting, but most scripts seem to only deal with adding LOCAL users to LOCAL groups, or DOMAIN users to DOMAIN groups. I need to mix the two.
A small follow up might be...can you recommend any good web resources for this sort of thing?
Oh, and the best research source I've ever found for this sort of thing is Google Groups.
Good luck.
posted by rachelpapers at 7:45 AM on December 8, 2006
Good luck.
posted by rachelpapers at 7:45 AM on December 8, 2006
Best answer: Assuming all workstations are domain members, this can be done pretty easily using group policies. You can assign these changes to occur at logon or logoff and it should be completely transparent to the user. Basically, all you need to do is create a group policy object and instruct it to run the script on this page: http://www.microsoft.com/technet/scriptcenter/scripts/ad/groups/adgpvb07.mspx
Also, this page has all sorts of scripts created to be used with active directory so if the link I posted above doesn't fit your exact scenario you might be able to find one here. It is the first place I go when I need to do anything like this: http://www.microsoft.com/technet/scriptcenter/scripts/policy/default.mspx?mfr=true
posted by ro50 at 7:51 AM on December 8, 2006
Also, this page has all sorts of scripts created to be used with active directory so if the link I posted above doesn't fit your exact scenario you might be able to find one here. It is the first place I go when I need to do anything like this: http://www.microsoft.com/technet/scriptcenter/scripts/policy/default.mspx?mfr=true
posted by ro50 at 7:51 AM on December 8, 2006
I answered a similar question about this here. Just change the net localgroup command in the script to /add instead of /remove.
posted by purephase at 10:21 AM on December 8, 2006
posted by purephase at 10:21 AM on December 8, 2006
Best answer: If these are all machines and should have the same administrator groups, there is a group policy setting to enforce what the local administrator group contains:
Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups
Just right-click to Add a Group ("Administrators"), then add the appropriate members in the box labeled "Members of this group" by pressing the big "Add" button.
Wait about 45 minutes (depending on your replication interval), and you're set.
posted by chota at 4:28 PM on December 8, 2006
Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups
Just right-click to Add a Group ("Administrators"), then add the appropriate members in the box labeled "Members of this group" by pressing the big "Add" button.
Wait about 45 minutes (depending on your replication interval), and you're set.
posted by chota at 4:28 PM on December 8, 2006
Response by poster: Thanks for the input folks! I was away from the office all day unexpectedly, and purephase, I could have sworn I tried your solution prior to posting, but perhaps I was too scared to try changing the remove to add!
Thanks again everyone, and I will mark some best answers once I have tried them out...looks like they are all good solutions too.
posted by Richat at 5:10 PM on December 8, 2006
Thanks again everyone, and I will mark some best answers once I have tried them out...looks like they are all good solutions too.
posted by Richat at 5:10 PM on December 8, 2006
This thread is closed to new comments.
Use the good ol' NET command.
Type NET LOCALGROUP /? to get you started.
posted by rachelpapers at 7:44 AM on December 8, 2006