the_technocrat
16 Nov 2006, 4:14pm
Hey all,
I have a security group in Active Directory called Tech Group. These are the people at each of the campuses that help me out with technical issues.
I'm trying to find a way to add the Tech Group via startup script to every machine's local user accounts in the domain. The idea here is that no matter who is in the Tech Group in Active Directory, they will be able to log on to any machine on the domain and have local machine administrator rights. Right now, they don't have the permissions to get the job done, and this makes the administrator (me) have to run around (remote desktop) a lot just to log in as myself. For the simple issues they're solving, this is a waste of time, and I'd like to fix it.
I like the idea of adding a group, because I want to be able to add/delete people in the group as needed. I'm not a fan of adding individual people to each machine as local admins, and then having to manage turnover...
I've been looking for a way to do this via batch, so I could just add the batch file to my domain's startup script GPO, and the Tech Group woul be added as a local administrators group. I really don't think it's feasible to go around to 400 machines and manually add the Tech Group to each machine with admin rights.
I don't want to make the Tech Group part of the Domain Administrators, I want to limit their admin access to the workstations. I don't need them hopping on a server and doing something crazy...
Anyone done this? I'm sure someone has done the same thing with an 'IS Supprt Dept' or 'Helpdesk' group...
I have a security group in Active Directory called Tech Group. These are the people at each of the campuses that help me out with technical issues.
I'm trying to find a way to add the Tech Group via startup script to every machine's local user accounts in the domain. The idea here is that no matter who is in the Tech Group in Active Directory, they will be able to log on to any machine on the domain and have local machine administrator rights. Right now, they don't have the permissions to get the job done, and this makes the administrator (me) have to run around (remote desktop) a lot just to log in as myself. For the simple issues they're solving, this is a waste of time, and I'd like to fix it.
I like the idea of adding a group, because I want to be able to add/delete people in the group as needed. I'm not a fan of adding individual people to each machine as local admins, and then having to manage turnover...
I've been looking for a way to do this via batch, so I could just add the batch file to my domain's startup script GPO, and the Tech Group woul be added as a local administrators group. I really don't think it's feasible to go around to 400 machines and manually add the Tech Group to each machine with admin rights.
I don't want to make the Tech Group part of the Domain Administrators, I want to limit their admin access to the workstations. I don't need them hopping on a server and doing something crazy...
Anyone done this? I'm sure someone has done the same thing with an 'IS Supprt Dept' or 'Helpdesk' group...