Monday, February 23, 2009

Add AD group to local administrator Group on every workstation




Task:

Your Company hired couple people to perform hardware refresh on all the workstations and you need to create group called "Local_Admins" and include& configure this group into each workstation " local administrator gorup" in your active directory domain.

The task can be accomplish in different ways and I am going to post two of them here in my blog.

Batch file,

Place same directory as VB script below. The below simple batch file will add the group called "Local_Admins" into local administrators group.

net localgroup administrators "smtp25\local_Admins" /add

net localgroup administrators "smtp25\Local_Admins" /delete


VBScript

Copy and paste below into notepad

Please pay attention you only need to change two lines in below script,

  • Change below to your own domain, my domain name is smtp25.org
  • MyDomain = "smtp25.org"
  • ' Change group name to your desired group
  • GlobalGroup = "Local_Admins"


'VBScript to Add an AD Group to a Local Administrators group

' This script will Add an Active Directory Desktop support Group to the Local

' Administrator Group. this can be Used to provide Local Administrator rights

' to any group

' Script modified by oz ozugurlu, change anything you like , no copy rights

Option Explicit

On Error Resume Next

'Define Variables

Dim Mydomain

Dim GlobalGroup

Dim oDomainGroup

Dim oLocalAdmGroup

Dim oNet

Dim sComputer

Set oNet = WScript.CreateObject("WScript.Network")

sComputer = oNet.ComputerName

' Change below to your own domain, my domain name is smtp25.org

MyDomain = "smtp25.org"

' Change group name to your desired group

GlobalGroup = "Local_Admins"

Set oDomainGroup = GetObject("WinNT://" & MyDomain & "/" & GlobalGroup & ",group")

Set oLocalAdmGroup = GetObject("WinNT://" & sComputer & "/Administrators,group")

oLocalAdmGroup.Add(oDomainGroup.AdsPath)

'Nullify Variables

Set Mydomain = Nothing

Set GlobalGroup = Nothing

Set oDomainGroup = Nothing

Set oLocalAdmGroup = Nothing

Set oNet = Nothing

Set sComputer = Nothing

  • Save the script as "Add_Local_Admins.vbs"
  • Log onto your domain controller, click start run type "gpmc.msc"
  • Locate the OU you wish to apply this script too
  • Create a GPO in this domain and link it here , give it a name to the GPO "Add_Local_Admins"
  • Make a right click, select add , expend Computer configurations
  • Policies, windows settings scripts , double click startup, click add , click Browse
  • **** Copy and paste the script into this location*****
  • Select the script , click okay two time exit.
  • Now make sure the computers are located under this OU
  • Next time computers start the GPO will run the script and specified group will be added to the local administrators group on the workstations

Oz Ozugurlu
MVP (Exchange)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
Blog: http://www.smtp25.blogspot.com



5 comments:

Justin@ms.com said...

Just to add to the post. You can also use a GPO and add an entry under "Restriced Groups". I just had to perform the same procedure.

Oz Ozugurlu said...

Thanks for the information, yes restricted groups are another way of accomplishing the same goal. Although there is quite a bit confusion on MS links in this regard and restricted groups in my opinion
http://technet.microsoft.com/en-us/library/cc772826.aspx

--oz

Groupon Clone said...

Thanks for sharing this information and source..

Anonymous said...

Great and it works for me!
To Justin - Using Restricted group autoritatively overwrites group content. In case you have different computers with different local admin users and want to preserve them, it is no way to go. There is no option to preserve existing members of restricted group.

Rakesh Jha said...

Thanks for the information, however i wish to prepare a script to check the availability of the added object in Local administrators group and re-add it If object is missing/removed. Can someone to reach out to jharakesh@hotmail.com or post it.

Thank you