Article ID: 555026 - View products that this article applies to.
How To Force Adding Of Domain Admin Group to Local Admin Group
A common problem in Windows domain management is the removing of Domain Admin group from Local Admin group by users. This operation prevent from the Domain Admin group to connect to Administrative shares (like c$), log on to user workstation/server, track on user activity and so on.
Using "Restrict Groups" option from Windows 2000/2003 GPO impose some solution for this problem, but if there local users on the workstation/server, this option inefficient, and may harm the workstation/server users.
Machine Script Solution:
By combine Windows 2000/2003 GPO and creating a machine script, we can get
A good Solution to this problem, and by avoiding the problems that "Restrict Groups" option from Windows 2000/2003 GPO create.
The script structure:
Script Name: Machine_Startup_Script.vbs (You can use any name that you like,
But you need to verify that the file name suffix end with
Operation Interval: Each machine startup or/and shutdown.
'Beginning Of the Script
On Error Resume Next
'get main objects/variables
Set ws = WScript.CreateObject ( "WScript.Shell" )
compname = ws.ExpandEnvironmentStrings ( "%COMPUTERNAME%" )
Set adGrp = GetObject ( "WinNT://" & compname & "/Administrators,group" )
'add domain groups to local admin group
adGrp.Add ( "WinNT://mywindowsdomain/Domain Admins,group" )
'End of the Script
mywindowsdomain = The NetBIOS name of the Domain that the user workstation log into.
Sentence that begin with " ' " use for a comment only.
After creating the script, we need add this script to Domain Default GPO – as
Computer startup or/and shutdown script and we done.
Windows 2000 Computer Startup Scripts:
Active Directory Services and Group Policy in Windows Server 2003:
Windows 2000 Group Policy:
Article ID: 555026 - Last Review: April 16, 2004 - Revision: 1.0
COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.
Contact us for more help
Connect with Answer Desk for expert help.