group membership assigned through group policy?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi, 2003 domain here. Can you all tell me if there is a way to add a user to
a group through group policy? What I want to accomplish is to have a user
account in a child domain added to the local admin group of computers in both
the child domain and parent domain. What would be even better would be to
have a "universal admins" group that would be added. Possible?
 
Rafael said:
Hi, 2003 domain here. Can you all tell me if there is a way to add a user
to
a group through group policy? What I want to accomplish is to have a user
account in a child domain added to the local admin group of computers in
both
the child domain and parent domain. What would be even better would be to
have a "universal admins" group that would be added. Possible?
Click to expand...

Rather than adding users, I would recommend adding a group to the local
administrators group on the computers. A startup script configured in Group
Policy can add a domain group to the local administrators group. Then you
can manage this group membership as desired. By default, the group "Domain
Admins" is added to the local administrators group when the computer joins
the domain.
 
Thanks, that looks promising but I see that using this option will remove
existing members from a group that aren't specified in the policy. I would
rather not do that as there are some boxes out on the domain that have local
logins in use, which need to remain admins. Do I understand the Restricted
Groups setting correctly?

Thanks again,
Rafael
 
so using a variation of the following script, I could add a user from a child
domain to the local admins group on computers in the parent domain?

*********
Const ADS_PROPERTY_APPEND = 3

Set objGroup = GetObject _
("LDAP://cn=Atl-Users,cn=Users,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_APPEND, _
"member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objGroup.SetInfo

Set objGroup = GetObject _
("LDAP://cn=NA-Employees,cn=Users,dc=NA,dc=fabrikam,dc=com")
objGroup.PutEx ADS_PROPERTY_APPEND, _
"member", Array("cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objGroup.SetInfo

********
 
Hi,

If are dealing with local groups, you cannot use the LDAP provider. The
local account SAM database is not LDAP compliant. You must use the WinNT
provider. I have used code similar to below in a startup script.

Option Explicit
Dim strDomain, objNetwork, strComputer
Dim objLocalGroup, objDomainGroup

' Specify the NetBIOS name of the domain.
strDomain = "MyDomain"

' Retrieve NetBIOS name of local computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

' Bind to local Administrators group.
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")

' Bind to domain group.
Set objDomainGroup = GetObject("WinNT://" & strDomain & "/MyGroup,group")

' Check if the domain group is already a member of the local group.
If Not objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
' Add the domain group to the local group.
objLocalGroup.Add(objDomainGroup.AdsPath)
End If

' Clean up.
Set objNetwork = Nothing
Set objLocalGroup = Nothing
Set objDomainGroup = Nothing

Instead of a domain group, you could add a domain user. Note that the above
can also be run remotely, except that you cannot retrieve the computer name
from the WshNetwork object. You can either hard code the computer name or
read computer names from a text file. I hope this helps.
 
Hi,

If are dealing with local groups, you cannot use the LDAP provider.
The local account SAM database is not LDAP compliant. You must use the
WinNT provider. I have used code similar to below in a startup script.

Option Explicit
Dim strDomain, objNetwork, strComputer
Dim objLocalGroup, objDomainGroup

' Specify the NetBIOS name of the domain.
strDomain = "MyDomain"

' Retrieve NetBIOS name of local computer.
Set objNetwork = CreateObject("Wscript.Network")
strComputer = objNetwork.ComputerName

' Bind to local Administrators group.
Set objLocalGroup = GetObject("WinNT://" & strComputer _
& "/Administrators,group")

' Bind to domain group.
Set objDomainGroup = GetObject("WinNT://" & strDomain &
"/MyGroup,group")

' Check if the domain group is already a member of the local group.
If Not objLocalGroup.IsMember(objDomainGroup.AdsPath) Then
' Add the domain group to the local group.
objLocalGroup.Add(objDomainGroup.AdsPath)
End If

' Clean up.
Set objNetwork = Nothing
Set objLocalGroup = Nothing
Set objDomainGroup = Nothing

Instead of a domain group, you could add a domain user. Note that the
above can also be run remotely, except that you cannot retrieve the
computer name from the WshNetwork object. You can either hard code the
computer name or read computer names from a text file. I hope this
helps.
Click to expand...

That seems like overkill for something that can be done using a built-in
command. It would be a lot simplier, and easier for the next one who has
to figure out what is going on, to use the NET LOCALGROUP command for
this:

net localgroup administrators domain\user_or_group /add

Put that in a batch file and set it as a computer start-up script. As
long as your group names aren't >20 chars, it should work just fine.

Just my $.02 worth,

Wayne Tilton
 
Back
Top