Announcement

Collapse
No announcement yet.

Adding a group to a local group on a workstation

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Adding a group to a local group on a workstation

    We are using Windows 2000 Server and about 40 workstations (99% of them are either Windows 2000 Professional or Windows XP Professional).

    I am wanting to add a group to the local administrators group on the local workstations for remote management and administration purposes.

    However if the group is part of the local administrators group on the local workstation, I do not want to re-add it to the local administrators group.

    I am struggling to find a way to do it using GPO - is there way to do it using GPO?

    Or should I be doing it with a script?

    (I would prefer to do with with GPO and no script if a solution exists, but am willing to combine both if it produces the results.)

    Thanks in advance all!

  • #2
    You can use Restricted Groups, but this also brings problems.

    If you add the Administrators group and add Domain Admins and your other group, then machines with additional entries in Administrators will loose this membership (if that makes sense).

    Scripting it is probably easier but, for the login script to work the user logging on would have to be a local admin for the script to be able to amend the group.

    Choose which ever is best for your setup.

    topper
    * Shamelessly mentioning "Don't forget to add reputation!"

    Comment


    • #3
      Originally posted by topper
      You can use Restricted Groups, but this also brings problems.

      If you add the Administrators group and add Domain Admins and your other group, then machines with additional entries in Administrators will loose this membership (if that makes sense).

      topper
      Okay - interesting way to use it - thanks. Just a pity that it won't work in this situation as the Administrators membership needs to remain intact.

      Originally posted by topper
      Scripting it is probably easier but, for the login script to work the user logging on would have to be a local admin for the script to be able to amend the group.

      topper
      Once the group is amended for the first time, the membership remains like that until someone changes it right?

      Comment


      • #4
        Originally posted by JamesNesbitt
        Once the group is amended for the first time, the membership remains like that until someone changes it right?
        Well yea, the login script will try and add it everytime it runs obviously but it doesn't error it just recognises the fact that the membership already exists and just continues.

        topper
        * Shamelessly mentioning "Don't forget to add reputation!"

        Comment


        • #5
          Originally posted by topper
          You can use Restricted Groups, but this also brings problems.

          If you add the Administrators group and add Domain Admins and your other group, then machines with additional entries in Administrators will loose this membership (if that makes sense).
          Not if you use Member Of like in the screenshot attached. This way the group will be ADDED without altering the current members.
          Attached Files
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            You are absolutely right Guy, but it works only with recent software:

            W2000 SP4
            XP SP2 (!)
            W2003.

            It is astonishing that they fixed that bug so late. Guess nobody screamed loud enough.

            Comment


            • #7
              You are right... There are couple KBs about this, but I would argue about XP SP2. I have this setting configured in production and it works with SP1 too.
              Guy Teverovsky
              "Smith & Wesson - the original point and click interface"

              Comment


              • #8
                Originally posted by guyt
                You are right... There are couple KBs about this, but I would argue about XP SP2. I have this setting configured in production and it works with SP1 too.
                Then you probably have this hotfix, right? http://support.microsoft.com/?kbid=810076

                That's why I said SP2; it includes this hotfix. Vanilla SP1 won't do it, at least last time I tried it (a year ago).

                Comment


                • #9
                  Hi all,

                  Thanks very very much for all the help and assitance! The solution work!

                  We are running Windows 2000 SP4 and Windows XP SP2 (all machines fully patched - at least thats what we aim for), so it should work all fine.

                  Your guys are all stars!

                  James

                  Comment


                  • #10
                    Originally posted by wkasdo
                    Then you probably have this hotfix, right? http://support.microsoft.com/?kbid=810076

                    That's why I said SP2; it includes this hotfix. Vanilla SP1 won't do it, at least last time I tried it (a year ago).
                    Ignorance is a bliss... I'll check with our client development team if they have deployed this hotfix for the masses (probably did). I was always more into those OS-es that have "server" part in it's name

                    (I always said that if I was to get MCSE cert, the exam I have most chances to fail is the XP one )
                    Guy Teverovsky
                    "Smith & Wesson - the original point and click interface"

                    Comment


                    • #11
                      Originally posted by guyt
                      (I always said that if I was to get MCSE cert, the exam I have most chances to fail is the XP one )
                      Lol!
                      Server 2000 MCP
                      Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog http://tonyyeb.blogspot.com

                      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                      Comment


                      • #12
                        Hi guys,

                        This is my own experience:

                        I have AD 2000 SP4 domain and XP SP1, SP2 clients: Members of did never work.

                        I also have AD 2k3 domain and XP SP2 clients: samething.

                        After I upgraded 2k3 domain to SP1, "Members of" just works . I don't know why but I am happy with it now.

                        Regards,
                        Teamwork

                        Comment


                        • #13
                          Hmmm... looks like there was a problem with that policy then, in terms of replication and consistency. GPO functionality is determined by the client, not the DC's. In other words, for the functionality it does not matter if your DC's are W2000 RTM or W2003 SP1.

                          Comment

                          Working...
                          X