I just set up something which is fairly useful, I had a hard time
finding anything much about it on the Internet, I needed to make a new
guy we have working for us a local admin on each machine in the domain
without making him a domain admin, also not forgetting we have English
and French systems, ie the group name is different on these systems.
So
I found this here.
http://web.mit.edu/ist/topics/windows/server/winmitedu/user_management.html – and my thanks to the people who wrote this, in case this link disappears I have taken the most important part and listed it here.
quote —
Create a Policy to Add a Security Group to the Local Adminstrators Group
Requirements: Container Administrator rights, i.e., rights over anorganizational unit
Create
a security group which contains the user ids of the users who will be
allowed local administrator access to the computers in the
organizationalunit. Note: The name of the group cannot contain any
spaces. Create a .bat file containing the following simple script:
net localgroup administrators LocalAdministratorGroupName /add
Where
LocalAdministratorGroupName is the name of the group of
localadministrators previously created in the Active Directory. Add the
script to a group policy:
1. Select the OU to which you want the policy to be applied.
2. Right-click Properties… , click on the Group Policy tab, selectNew…
3. Give the group policy a name (prefixed with the name of yourdepartmental OU).
4. Click Edit.
5. Expand Computer Configuration > Windows Settings > Scripts…
6. Double-click Startup… , select Add.
7.
Type the script name and location in the Script Parameters box,
e.g., \\campus\software\dept\myDept\localAdmin.bat. For an existing
group policy you will need to edit that policy using steps 4-7 above.
Note: You can edit only policies that you have created yourself, or for
which you have been expressly granted editing permissions by the
originalpolicy creator.
end quote —
I made a group called
workstationadmins, added my new guy to it, made a GP under Workstations
(our servers are in a separate OU) called Local Admins,added to machine
start up script the following \\xxx\NETLOGON\localadmin.bat this
contains
net localgroup administrators workstationadmins /add
net localgroup administrateurs workstationadmins /add
to
cover both EN and FR, doesn't seem to care that a group does not exist
but will keep an eye out. After a restart any PC in the OU comes up
with that group as a local admin, ie I believe any new machine that is
set up he can log straight onto as a local admin with his account, will
test 🙂