Copy global group members to local groups

Similar Messages

• Add Windows 7 local administrators group to another local group

  So I have the local group MyLocalGroup and I need to add the local Administrators group as member of MyLocalGroup
  I'm working with Windows 7 Professional with Windows Management 4
  I have tried:
  [ADSI]$LocalAdmonistratorGroup="WinNT://$Env:COMPUTERNAME/Administrators,Group"
  [ADSI]$MyUsersGroup="WinNT://$Env:COMPUTERNAME/MYLOCALGROUP,Group"
  $MyUsersGroup.Add($LocalAdmonistratorGroup.Path)
  Exception calling "Add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist."
  BUT:
  $LocalAdmonistratorGroup.Add($MyUsersGroup.Path)
  It's work! And MyLocalGroup is member of administrator.
  I have made some test and:
  1. A user can be added to any local group (ok)
  2. A local group can be member of any local group (ok)
  3. A group or a user can be added to local Administrators group
  4. If I try to add local administrators group as member of any other local group I receive the error!
  How I can add the Local Administrators group as member of another local group using PowerShell (with interface work)?
  Thanks,
  Lorenzo Soncini
  LSo Lorenzo Soncini Trento TN - Italy

  Hi Lorenzo,
  Nesting local groups (add a local group to the group membership of another local group on the same client )is not recommended.
  Refer to:
  Nesting of local groups is not supported on workstations or member servers
  If we execute this operation via Computer Management Interface, it will produce error.
  Some group authoring tools can add local Group To local Built-in Groups, however, our suggestion is to never nest local groups even when it is allowed by a group authoring tool like “net local group” because such nesting doesn’t reflect the group expansion
  constraints and the end results would be different from the expected results.”
  Refer to:
  Nested User Groups (Groups in Groups) / Built-in Local Groups Issue
  If there is anything else regarding this issue, please feel free to post back.
  If you have any feedback on our support, please click here.
  Best Regards,
  Anna Wang
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Getting All Local Groups, Group Members and Local accounts on all Servers

  Hello Everyone,
  Sorry if this has been covered already, but I didnt see anything that quite answered my question.
  I've been given the task of generating an Access Control List here at work and I've managed to piece together a few scripts that gets me so close it's frustrating.
  The script I have now will parse through a text file with all my Windows servers listed in it and it does output in the console the server name, all of the groups on the server (Administrators, Remote Users, Backup Operators, etc.) and all the individual
  members of those groups and nested groups.
  However, I can't seem to get it to export to a CSV for easy digestion.  I've tried to pipe the export-csv command, but the csv it gives me doesnt have any useful information in it.
  Here is the script:
  $list =@()
  $Servers=Get-Content ListOfComputers.txt
  foreach($server in $Servers) {
  $server | % {
  $server = $_
  $server
  $computer = [ADSI]"WinNT://$server,computer"
  $computer.psbase.children | where { $_.psbase.schemaClassName -eq 'group' } | foreach {
  "`tGroup: " + $Group.Name
  $group =[ADSI]$_.psbase.Path
  $group.psbase.Invoke("Members") | foreach {
  $us = $_.GetType().InvokeMember("Adspath", 'GetProperty', $null, $_, $null)
  $us = $us -replace "WinNT://",""
  $class = $_.GetType().InvokeMember("Class", 'GetProperty', $null, $_, $null)
  $list += new-object psobject -property @{Group = $group.Name;Member=$us;MemberClass=$class;Server=$server}
  "`t`tMember: $us ($Class)"
  The format it pumps out to the console is good, other than it's somewhat upside down, the members are all listed above the group name such as below, where there's no members in the Administrators group, but User1, 2 and 3 are part of the Remote Desktop Group.
   This isn't horrible as I can cut and paste it out of the console and into a spreadsheet, but then i have to shift things up a row and doing that for the entire list is going to be way more work than I'd like.
  Server01
  Administrators
  User1
  User2
  User3
  Remote Desktop Users
  When I use export-csv on the script above I get a bunch of numbers rather than groups or members like this:
  Length
  13
  51
  40
  35
  63
  63
  35
  32
  Hopefully, there's someone out there who can help me tweak this script so that I can just dump it all to a csv and be done, with little to no massaging of the data afterward.
  Thanks in advance,
  Tyler

  Sure. After you've run the script, type this in the console:
  $list | Export-Csv .\groupInformation.csv -NoTypeInformation
  You'll then have a CSV file in the directory, open that with Excel and see if that gives you the information you're after.
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• Receive texts from some group members, not all group members

  Hello!
  I have an iPhone 5S and recently purchased an iMac. iMac is on OSX Yosemite and iPhone is on iOS 8.1.2
  Recently I have been involved in a few group SMS text chains and I am receiving texts from some of the group members but not all of them. I can receive texts individually from everyone in the group.
  I was recently playing around with iMessage on my new iMac and feel like I may have done something in the setup that caused this issue.
  Anyone know what's going on? I reset network settings on my phone and closed out iMessage on my computer (I also signed out of iMessage completely)

  If iMessage is turned off on both devices and you are still unable to receive their texts, it is a carrier issue, the carrier will need to resolve it.
  If iMessage is turned on on both devices and you are unable to receive their texts, it's an iMessage setup issue.

• AD integration, making AD groups members of OD groups

  Hello everyone!
  I have a 10.4.8 server bound to AD. It is an OD master. On order to define Mac OS X preferences for my users/client computers, I need to work with OD groups.
  So I create a new OD group, and grab the appropriate AD user groups and make them members of the OD group. Then, if I define this OD group as the one authorized to log-in to a specific machine (in the OD machine groups), and manage the login preferences for that machine so that it shows the list of authorized users at login. No go! Nothing happens.
  If I add a single AD user to the OD group, all is well, and it shows up in the list of users at the login screen of the machine.
  So, Open Directory does not seem to be able to see the members of Active Directory groups. Bummer!
  Ideas anyone?

  Well, this issue really seems to be limited to a specific area.
  In my testing, I was able to assign specific permissons on a shared folder to an AD group. The members of that AD group were able to connect to the mac server and have only the permissions I gave them on that folder, which is hosted on the Mac server.
  So in that case, the AD members are 'seen' by the Mac server. But not when it comes to populating a login screen list.

• List Local Group members with PowerShell 5

  This script:
  $Server="."
  $LocalGroup = "Administrators"
  $Group= [ADSI]"WinNT://$Server/$LocalGroup,group"
  $Members = @($Group.psbase.Invoke("Members"))
  $Members | ForEach-Object {
      $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
  works fine in powershell 2 (windows 7), but fails on powershell 5
  "Error while invoking GetType. Could not find member."
  It returns only domain groups. No local groups or local users or domain users.
  Is there a reason why? And can it be modified for powershell 5?
  Thanks

  Try it like this:
  $group=[ADSI]"WinNT://$env:COMPUTERNAME/Administrators,group"
  $group.Members() |
  ForEach-Object {
  ($_.GetType()).InvokeMember('Name', 'GetProperty', $null, $_, $null)
  ¯\_(ツ)_/¯

• ADMT share domain local groups access denied

  Hi,
   I have encountered strange behavior when migrating share with permissions. This is the situation:
  1) We have migrated groups from source domain(these groups are used for defining access to shares, users are directly members of these, no nested groups), groups are domain local
  2) We have migrated share and reapplied and verified ACLs, ok so far
  The problem is that users from source domain cannot access share migrated to new domain, accordin to ACL they have access BUT when they try access the share it only shows access denied. But when the groups are converted to Global in source domain(no need
  to convert in target domain) access is permitted according to ALC).
  Can someone explain that please? Thank you.
  Pete
  sfs

  Hi,
  Member permissions in domain local group can be assigned only within the same domain as the parent domain local group.
  Domain local groups can contain users from any domain. They are used to assign permissions to resources. When you restructure domains, you must migrate domain local groups when you migrate the resources to which they provide access, or you must change the
  group type to universal group.
  For more detail information, you could refer to:
  http://blog.thesysadmins.co.uk/admt-series-7-group-account-migration-wizard.html
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Is "Administrators" refer to domain group or local group?

  Windows Server 2008 R2 sp1
  using "Restricted Groups", i'm trying to add a domain group to be a member of all workstation's local admin group. i went and did that and use the "Member of" (so that i don't overwrite the existing local admin members) but before i hit
  on "Apply", it occurred to me, does the "Administrators" group refer to the domain group or the local group?

  > so i tried searching (instead of just typing it) for the
  > "Administrators" group and it gave below:
  As long as you do this on a domain controller, it will resolve to
  domain\administrators. If you do the same (or edit this GPO) on a
  member, it will resolve to computer\administrators.
  And if you VIEW the GPMC settings report, it will simply show
  "Builtin\Administrators".
  It's only a matter of search scope :)
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Group Policy "Restricted Groups" (local groups) using group policy preferences

  I was recently tasked a solution with creating a group policy to manage RDP user access to a set of Active Directory computer objects.
  Part of the  solution was to create a policy so that this would only apply a specific security group(users) to a specific set of Active Directory computer objects within the OU to which it was applied so that other machines
  and/or user accounts in this OU remain un affected by this policy.
  The policy was to be able to include multiple sets of Security groups(users) for the associated machines isolating those security groups(users) to only their sets of Active Directory computer objects.
   Reduce the requirement to create multiple group policies to apply different "Local Group"/"Restricted groups" management for computer objects in the domain.
  I thouhgt about using System based policies and creating different WMI filters to target sets of AD Computer objects, but came to the conclusion this would not help due to the limited of WMI quries I would be able to create for a standard
  Image.
  So I then thought about group policy preferences and came up with the solution
  I created a new Group policy and created a new item for the local group, in this instance but not limited to "Remote Desktop users (built-in)" and added the security group(users).  In my case I did not need to use the "delete
  all member users" or "delete all member groups" as I wanted other groups in this local group for the computer objects to remain intact.
  Then what I did is set the "item-level-target" setting from "the common tab" on the GPP and set it to the security group which containd the AD computer objects the user accounts required access to.  I then did a couple of standard
  tests to confirm the local security group(users) appeared only on the machine in the item level target security group and applied to no other machines in the outside of SOM. 
  So with this in place, if I needed to create any other entries for different groups and access to specific machines all I need to do is create a new GPP item within this policy.
  Being mindful that system policies settings if applied to same OU will take preceedence over GPP settings.... 
  Thought I would just share this in-case anyone else has had similar requests/thoughts and or has other methods that they have used that they would like to share. 
  I am not sure either on the limit of entries that GPP have either so if anyone does know please post and possible links? 
  I have struggled to find an answer, however it could be that I am not asking the right question!

  good sharing...
  Best,
  Howtodo

• How to specify which group members have wiki write permissions

  In the 10.5 Workgroup Manager, Basic tab, there are two drop down boxes after the checked boxes for enbabling wiki, blog, mailing lists, web calendar, et al -
  Allow [group members only | some group members | authenticated users | anyone]
  to write to these services.
  If I select "some group members" how do I actually say which group members? I see nowhere that I can specify that.
  Specifically this is in regards to the wiki.

  Unless I'm missing something, the directory.app only lets me do the same thing the Server Admin does, add people to a group and enable services to that group.
  For example I have a group called Techs, they have a mailing list and wiki.
  Some of the junior techs I only want to have read access, others write access.
  I don't see how I can specify user1 has read only access but user2 and user3 have write access.

• Domain local groups with members from other (same forest) domains?

  I'm confused about granting access to a share via a domain local group that contains members from other domains. Consider this scenario:
  Joe Smith logs into his own domain (DALLAS.CORP.COM) and his token gets the DALLAS\sales global group.
  A share (named sales) in a different domain within the same forest (FORTSMITH.CORP.COM) assigns ntfs modify on its DACL via the FORTSMITH\sales_modify domain local group, which contains the DALLAS\sales global group.
  Joe goes to access the sales share...what happens, exactly?
  Since Joe logged into a DC in the DALLAS domain (outside the replication scope of the sales_modify group), his token does not contain sales_modify, right? So when he goes to access the sales share, that file server in FORTSMITH checks his token, doesn't
  see FORTSMITH\sales_modify in his token, and boom: access denied...right?

  Universal group is ok within the same forest but different domain.
  Domain local is ok between separate forest (Trust should be in place).
  Global is ok for same domain.
  See this for more details.
  http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy.aspx 
  Written by Ace Fecay-DS MVP.
  Regards~Biswajit
  Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
  MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
  MY BLOG
  Domain Controllers inventory-Quest Powershell
  Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
  Generate a Report for installed Hotfix for Bulk Servers

• Members of Domain Local Groups not showing up through net group command

  Hello,
  I am trying to get the list of members in a Domain Local Group using "NET GROUP" command, but unable to get the member list.
  I get the message "group not found", whereas members of Global Groups  are visible.
  Thank you in advance !

  Unfortunately your post is off topic here, in the TechNet Site Feedback forum, because it is not Feedback about the TechNet Website or Subscription. 
  This is only one forum among the many that are on the TechNet Discussion Forums, and given your post, you likely chose the wrong forum. 
  This is a standard response I’ve written up in advance to help many people (thousands, really.) who post their question in this forum in error, but please don’t ignore it. 
  The links I share below I’ve collected to help you get right where you need to go with your issue.
  For technical issues with Microsoft products that you would run into as an
  end user of those products, one great source of info and help is
  http://answers.microsoft.com, which has sections for Windows, Hotmail, Office, IE, and other products. Office related forums
  are also here: http://office.microsoft.com/en-us/support/contact-us-FX103894077.aspx
  For Technical issues with Microsoft products that you might have as an
  IT professional (like technical installation issues, or other IT issues), you should head to the TechNet Discussion forums at
  http://social.technet.microsoft.com/forums/en-us, and search for your product name.
  For issues with products you might have as a Developer (like how to talk to APIs, what version of software do what, or other developer issues), you should head to the
  MSDN discussion forums at http://social.msdn.microsoft.com/forums/en-us, and search for your product or issue.
  If you’re asking a question particularly about one of the Microsoft Dynamics products, a great place to start is here:
  http://community.dynamics.com/
  If you really think your issue is related to the subscription or the TechNet Website, and I screwed up, I apologize! 
  Please repost your question to the discussion forum and include much more detail about your problem, that could include screenshots of the issue (do not include subscription information or product keys in your screenshots!), and/or links to the problem
  you’re seeing. 
  If you really had no idea where to post this question but you still posted it here, you still shouldn’t have because we have
  a forum just for you!  It’s called the Where is the forum for…? forum and it’s here:
  http://social.msdn.microsoft.com/forums/en-us/whatforum/
  Moving to off topic. 
  Thanks
  MSDN and TechNet Subscriptions Support
  Did Microsoft call you out of the blue about your computer?
  No, they didn't.

• Make members of a group local administrators

  I have a 10.5.2 server and mixed 10.4.x and 10.5.x clients. Is there a way to setup users with Workgroup Manager such that members of certain groups are seen by the clients as local administrators?

  Hi Nige-B,
  Failover Cluster Manager requires Full Control, so there is no way to delegate the read-only users. However we can have read-only privileges for PowerShell management. We can
  use the following command:
  1. 
  Open the PowerShell command with administrator privilege.
  Import-module failoverclusters
  Grant-ClusterAccess domain\user1 –readonly
  NOTE: You can type "-Cluster clustername" to grant access to another cluster.
  3. Then the user domain\user1 has the read-only privilege to see the current status of the cluster, or can see the parameters.
  For more information of this cmdlet, please refer to:
  Grant-ClusterAccess
  http://technet.microsoft.com/en-us/library/ee460969(WS.10).aspx
  I’m glad to be of help to you!
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Create Local Group on Member Servers

  Guys,
  I have put together below script (thanks to everyone for posting great scripts). I have copied some part of the script from the forum examples.
  This script will take Input, create Domain group and add that domain group to the number of member servers listed in the text file.
  So far so good, my this script works fine. 
  Question - I need to add functionality in the script to create new local group on member servers using same variable and Add the Domain group (created using same variable) in the newly created local group on member servers.
  I also want to have an output file for the failed hosts. 
  Appreciate your help.
  ==============================================
  # input
  $Name = Read-Host "Write Policy Name"
  #Create Domain User Group
  NEW-ADGroup -Name ${Name}_UserGroup –groupscope Global -path "ou=Test,DC=Lab,DC=Local" -Description "${Name} Domain users Group"
  #Read Servers from the Text File
  $Servers = Get-Content c:\temp\${Name}_Servers.txt
  #Initialize the Domain Group Object 
  $DomainGroup = [ADSI]"WinNT://Lab.local/${Name}_usergroup,group"
  #Add Domain group to the local Remote Desktop Group on member servers
  ForEach ($Server in $Servers) #Loop through each server 
      #Get Local Group object 
      $LocalGroup = [ADSI]"WinNT://$Server/Remote Desktop Users,group" 
      #Assign DomainGroup to LocalGroup 
      $LocalGroup.Add($DomainGroup.Path)
  ==============================

  You don't need scripts to manage local groups.
  Group Policy can do this for you.
  -- Bill Stewart [Bill_Stewart]

• My SCCM 2007 Secondary Site Servers have multiple "SMS_SiteSystemToSiteServerConnection_ SiteCode " and "SMS_SiteToSiteConnection_ SiteCode " local groups

  My organization is going through a SCCM 2012 migration and I was asked about our current SCCM 2007 Secondary Sites and when I remoted into my secondary site servers I saw that two of the three servers have multiple "SMS_SiteSystemToSiteServerConnection_<SiteCode>"
  and "SMS_SiteToSiteConnection_<SiteCode>" local groups. 
  This just seemed quite odd and I wanted to know if anyone has dealt with this before.
  Thank you

  Thanks for your reply Eswar.
  One of the SMS_SiteToSiteConnection_<SiteCode>
  groups on two of my Secondary Site servers I believe are configured correctly and they both have my Primary Site Server as a member, but the
  SMS_SiteSystemToSiteServerConnection_<SiteCode> group is empty. Is the
  SMS_SiteSystemToSiteServerConnection_<SiteCode> group supposed to contain my Primary Site server as well? Both the SMS_SiteSystemToSiteServerConnection_<SiteCode>
  and the
  SMS_SiteToSiteConnection_<SiteCode> groups on my Primary Site Server have my Secondary Site Servers as members. 
  Is this correct?
  I'm wondering now if the strange groups with the odd site codes that don't even exist were created when the secondary sites were initially being created a while back. From the documentation, it looks like the former admin initially configured the secondary
  sites using a PowerShell script created by Kaido Jarvemets. According to some of the notes I have read, the admin kept uninstalling and re-installing the sites when they were not showing up in the SCCM 2007 Admin console, but apparently they simply forgot
  to configure a Sender and an Address, if that makes any sense to you.
  So, perhaps these groups ending with an odd Secondary Site code may have been a typo during one of the installation attempts? If this is the case, can these groups be deleted?
  One thing I forgot to mention was that the Secondary Site servers belong to a Global Security AD group and that group is used to add them to both the SMS_SiteSystemToSiteServerConnection_<SiteCode
  and the SMS_SiteToSiteConnection_<SiteCode>
  groups on the Primary Site server.
  Is this allowed?
  Thanks