Tags:








Domain restructuring on TOP of organizational restructuring...ARGH.
December 8, 2006 6:22 AM   RSS feed for this thread Subscribe

Windows SysAdmin question: I need to add a global security group to the local admin group on machines in multiple OUs. Any ideas?

Due to some restructuring, the current OU Admin group will be abandoned, and a new OU admin group will be implemented. I can't seem to sort out a decent solution to add the new group. Ideally, I would love to be able to turf the old group too, once the transition is complete.

I have some experience with both batch files, and some vbscripting, but most scripts seem to only deal with adding LOCAL users to LOCAL groups, or DOMAIN users to DOMAIN groups. I need to mix the two.

A small follow up might be...can you recommend any good web resources for this sort of thing?
posted by Richat to computers & internet (6 comments total) 3 users marked this as a favorite
Yeah, sure... I've done this before with a script.

Use the good ol' NET command.
Type NET LOCALGROUP /? to get you started.
posted by rachelpapers at 7:44 AM on December 8, 2006


Oh, and the best research source I've ever found for this sort of thing is Google Groups.

Good luck.
posted by rachelpapers at 7:45 AM on December 8, 2006


Assuming all workstations are domain members, this can be done pretty easily using group policies. You can assign these changes to occur at logon or logoff and it should be completely transparent to the user. Basically, all you need to do is create a group policy object and instruct it to run the script on this page: http://www.microsoft.com/technet/scriptcenter/scripts/ad/groups/adgpvb07.mspx

Also, this page has all sorts of scripts created to be used with active directory so if the link I posted above doesn't fit your exact scenario you might be able to find one here. It is the first place I go when I need to do anything like this: http://www.microsoft.com/technet/scriptcenter/scripts/policy/default.mspx?mfr=true
posted by ro50 at 7:51 AM on December 8, 2006


I answered a similar question about this here. Just change the net localgroup command in the script to /add instead of /remove.
posted by purephase at 10:21 AM on December 8, 2006


If these are all machines and should have the same administrator groups, there is a group policy setting to enforce what the local administrator group contains:

Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups

Just right-click to Add a Group ("Administrators"), then add the appropriate members in the box labeled "Members of this group" by pressing the big "Add" button.

Wait about 45 minutes (depending on your replication interval), and you're set.
posted by chota at 4:28 PM on December 8, 2006


Thanks for the input folks! I was away from the office all day unexpectedly, and purephase, I could have sworn I tried your solution prior to posting, but perhaps I was too scared to try changing the remove to add!

Thanks again everyone, and I will mark some best answers once I have tried them out...looks like they are all good solutions too.
posted by Richat at 5:10 PM on December 8, 2006


« Older How do I get laser printer ton...   |   I would like to build some igl... Newer »

You are not logged in, either login or create an account to post comments



Related Questions
how to create lots of users in Windows 2003 July 14, 2008
GPO help? November 7, 2006
Silent install of Japanese IME on XP SP2 October 11, 2006
Minimizing Downtime on a Linux Migration March 30, 2006
Active Directory 2003 book recommendations February 23, 2005