How can I add a primary domain admin to the local admin grounp...

[ceez]

hello fellow msfn-ers!

I would like to know if there's a way that I can add our primary domain administrator to the local administrator group of the workstations on a child domain via group policies.

example:

primary.domain.net\administrator

needs to be added to the local administrator group of a workstation which the domain it sits on is:

secondary.domain.net

did that makes sense?!?!?

else I have to go throuh computer management, connect to each ws and add primary.domain.net\administrator to the local administrator group.

thanks for your help,

ceez

(way up)

Edited September 2, 2006 by ceez

[Ctrl-X]

I would like to know if there's a way that I can add our primary domain administrator to the local administrator group of the workstations on a child domain via group policies.

example:

primary.domain.net\administrator

needs to be added to the local administrator group of a workstation which the domain it sits on is:

secondary.domain.net

That's not exactly a child domain... But as long as there's a trust relation between the domains, you're OK.

Edit the Default Domain Policy (or another appropiate GPO) of the "child" domain. Navigate to Computer Configuration / Windows Settings / Security Settings / Restricted Groups. Select the Administrators group and add the "primary" domain Administrator account. That should do the trick!

[ceez]

@Ctrl-X, ok that worked but it removed the domain user account from the administrator group. We add the user to the local administrator group. When I ran this GP it removed the user, the domain admin of that child domain and only left the local admin and the parent domain admin listed.

in the gpo under restricted users I have the following:

Group: Builtin\Administrator

Members: Domain\Administrator

Member of: <blank>

I assume that I can the domain admin of the child domain by adding it to the members section of the gpo, but how can I leave the user account also in that group? Is there a way around it?

thanks for your help, definitely leading me in the right direction!

:thumbsup

[allen2]

You can try a gpo with startup batch script:

net localgroup administrators primary.domain.net\administrator /add

[Ctrl-X]

@Ctrl-X, ok that worked but it removed the domain user account from the administrator group. We add the user to the local administrator group. When I ran this GP it removed the user, the domain admin of that child domain and only left the local admin and the parent domain admin listed.

That's correct, you won't be able to add users to the group locally (actually you can, but they will be removed again the next time the GPO is applied). You could add the domain admin (or the Domain Admins group) of the child domain to the GPO as well. Do I understand correctly that you add only the regular user of each workstation to the local admins group? You won't be able to do that through a GPO... You'll probably have to script it one way or another like allen2 suggested.

[ceez]

thanks again guys for the help.

@allen2: i'll look into that script option.

@ctrl-x: you are correct, we add the user to that workstation. ie: if it's assigned to me then i would add domain\ceez to the local admin group of the workstation.

I did end up adding 'domain users' for that child domain in the GPO and that seemed to work, the user that works on that workstation had rights, the easy way to test was to run a disk defrag.

thanks again for your help ctrl-x.

ceez

Edited September 4, 2006 by ceez