Group Policy - Adding groups to Local Admin

[Zhrakkan]

I have a question for those that might have done it.

I want to have a GP created on OU X.

I want ALL computers to have 3 groups dropped into the local admin group of all PC's in that OU.

Do I need to create a simple COMPUTER GP on the OU with the following:

Edit

Windows Settings\Security Settings\Local Policies\Restricted Groups

Then simply add in

DOMAINNAME\AdminGroup1

DOMAINNAME\AdminGroup2

DOMAINNAME\AdminGroup3

Will this OVERRIGHT anything there? Or just add these group in?

I appreciate your assistance.

[InTheWayBoy]

Hmmm...that is a good question. I know that's how I did it when I needed local admins for a while, but I never checked to see if it over-writes anything. I believe it does though, so be careful.

[fizban2]

restricted groups would not be the way to do it, a startup script or or a logon script would be the way to go,

more in depth..

adding those 3 groups to the restricted users will make ONLY those 3 groups able to be part of the admin group, if local users have to be (though they shouldn't be) then this won't work for you

a logon script based like this might work for you

Set g_oShell = CreateObject("Wscript.Shell")

'Add AD groups to the local admin group

g_oShell.Run "net use \\domain /user:<domain account>  & """" & "<account Password>"
g_oShell.Run "net localgroup administrators <domain-group>@<domain> /add"

[nmX.Memnoch]

Search is your friend.

From this thread:

The easiest way that won't require you going to every machine to add the user(s) to the Local Admin group would be to create a domain group for the users you want to have local admin privs on your workstations (but not domain admin privs in your domain). Now create a simple CMD file with the following command:

NET LOCALGROUP Administrators /ADD "DOMAIN\New Group Name"

Now set that CMD file as a startup script in GPO. This will ensure that the group is always there and will always be readded if it's ever removed. It's also a good idea to add the following line in case the individual you give local admin privs to decides to try to lock out the domain admins:

NET LOCALGROUP Administrators /ADD "DOMAIN\Domain Admins"

You could even have a different Group and Startup Script for each OU.

I would recommend creating a seperate admin account for them to use for admin purposes though. For instance, their normal account would be something like firstname.lastname and this would be tied to their Exchange mailbox, etc. Then the seperate admin account would be something like firstname.lastname.admin and not have privs to anything except what is required to perform admin functions.

[fizban2]

i like my VB script

but i agree, having a secondary account for admin rights if it is needed like a-<account> and there normal account would be nice. but to add a domain group to the local admin group wouldn't you need to provide credentials for the add?

[nmX.Memnoch]

but to add a domain group to the local admin group wouldn't you need to provide credentials for the add?

Not if you do it with GPO as a machine startup script.