Expand a Domain Local group as an administrator from a different domain

Similar Messages

• Domain local groups with members from other (same forest) domains?

  I'm confused about granting access to a share via a domain local group that contains members from other domains. Consider this scenario:
  Joe Smith logs into his own domain (DALLAS.CORP.COM) and his token gets the DALLAS\sales global group.
  A share (named sales) in a different domain within the same forest (FORTSMITH.CORP.COM) assigns ntfs modify on its DACL via the FORTSMITH\sales_modify domain local group, which contains the DALLAS\sales global group.
  Joe goes to access the sales share...what happens, exactly?
  Since Joe logged into a DC in the DALLAS domain (outside the replication scope of the sales_modify group), his token does not contain sales_modify, right? So when he goes to access the sales share, that file server in FORTSMITH checks his token, doesn't
  see FORTSMITH\sales_modify in his token, and boom: access denied...right?

  Universal group is ok within the same forest but different domain.
  Domain local is ok between separate forest (Trust should be in place).
  Global is ok for same domain.
  See this for more details.
  http://msmvps.com/blogs/acefekay/archive/2012/01/06/using-group-nesting-strategy-ad-best-practices-for-group-strategy.aspx 
  Written by Ace Fecay-DS MVP.
  Regards~Biswajit
  Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.
  MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
  MY BLOG
  Domain Controllers inventory-Quest Powershell
  Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate
  Generate a Report for installed Hotfix for Bulk Servers

• ADMT share domain local groups access denied

  Hi,
   I have encountered strange behavior when migrating share with permissions. This is the situation:
  1) We have migrated groups from source domain(these groups are used for defining access to shares, users are directly members of these, no nested groups), groups are domain local
  2) We have migrated share and reapplied and verified ACLs, ok so far
  The problem is that users from source domain cannot access share migrated to new domain, accordin to ACL they have access BUT when they try access the share it only shows access denied. But when the groups are converted to Global in source domain(no need
  to convert in target domain) access is permitted according to ALC).
  Can someone explain that please? Thank you.
  Pete
  sfs

  Hi,
  Member permissions in domain local group can be assigned only within the same domain as the parent domain local group.
  Domain local groups can contain users from any domain. They are used to assign permissions to resources. When you restructure domains, you must migrate domain local groups when you migrate the resources to which they provide access, or you must change the
  group type to universal group.
  For more detail information, you could refer to:
  http://blog.thesysadmins.co.uk/admt-series-7-group-account-migration-wizard.html
  Regards.
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Remotely add Domain User to local group

  I've been playing with this for some time, and I seem to be missing something.  I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
  groups.  I would like to be able to run this from a management workstation. 
  I've been working from these two posts.
  http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
  http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
  It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally.  I have not been able to figure out any format that allows me to get the information remotely.  So I figured I would use Invoke-Command
  to execute the two lines of code remotely. 
  Invoke-Command -ComputerName RemoteServer {
  $de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
  $de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
  (I am trying it first with fixed, valid values - change to variables when I get things figured out.)  That gave me the error:
  Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
  +CategoryInfo :NotSpecified: (:) [], MethodInvocationException
  +FullyQualifiedErrorID :DotNetMethodTargetInvocation
  +PSComputerName :RemoteServer
  I need help on what to try next.
  Thanks.
  . : | : . : | : . tim

  I've been playing with this for some time, and I seem to be missing something.  I am trying to develop a script that reads and XML file containing a list of computers, local groups, and names of domain users (and computers) to be added to the local
  groups.  I would like to be able to run this from a management workstation. 
  I've been working from these two posts.
  http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/19/use-powershell-to-add-domain-users-to-a-local-group.aspx
  http://blogs.technet.com/b/heyscriptingguy/archive/2008/03/11/how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group.aspx
  It appears that the command $objGroup = [ADSI]("WinNT://atl-fs-001/Administrators") only works locally.  I have not been able to figure out any format that allows me to get the information remotely.  So I figured I would use Invoke-Command
  to execute the two lines of code remotely. 
  Invoke-Command -ComputerName RemoteServer {
  $de = [ADSI]"WinNT://RemoteServer/Administrators,Group"
  $de.psbase.invoke("Add",([ADSI]"WinNT://Domain/User").path)
  (I am trying it first with fixed, valid values - change to variables when I get things figured out.)  That gave me the error:
  Exception calling "Invoke" with "2" argument(s): "Number of parameters specified does not match the expected number."
  +CategoryInfo :NotSpecified: (:) [], MethodInvocationException
  +FullyQualifiedErrorID :DotNetMethodTargetInvocation
  +PSComputerName :RemoteServer
  I need help on what to try next.
  Thanks.
  . : | : . : | : . tim
  The ADSI commands work remotely as long as you are an administrator on the domain.
  Invoke-Command only works on systems set up for WinRM remoting and if you are an Administrator on the domain.
  Normally we would use AD and GP to add users to local groups.
  Your script is also incorrect.  Thisis the correct template.
  $remotepc='somepc'
  $de=[ADSI]"WinNT://$remotepc/Administrators,Group"
  $de.Add("WinNT://Domain/User")
  You should never the user to the admin group.  It is a formula for disaster.
  ¯\_(ツ)_/¯

• Fail to add domain user into local group - RPC server unavailable

  Hi all,
  I have a server-1 which is join to domain A. I need to add a domain user from domain B to my server-1 local group. I keep getting "The RPC server is unavailable" error message.
  But i try to use another server-2 which also belong to domain A and same network segment as server-1, i do not encounter this error while adding domain B user onto it.
  The problematic server-1 is a Windows 2008 R2 SP1 server. It is install with IIS and MS SQL database 2008.
  Just one thing i am guessing whether is it the cause of the problem. Before server-1 join to domain A, i did not disable windows firewall. I disable it only recently. Could this has cause the problem on my server-1?

  Let's recap to make sure I understand exactly what  you have going on:
  - Server 1 and Server 2 are both on Domain A and in the same site, behind the same firewalls
  - Adding a user from Domain B works on Server 1 but not Server 2.
  - You get an RPC error while adding Domain B's user on Server 2.
  Is Domain B on the other end of some firewall?
  - Can you do a portqry to a DC in Domain B from Server 2 (http://www.microsoft.com/en-us/download/details.aspx?id=17148)
  - Run this command: portqry -n <DomainBFQDN> -p both -o 53,135,389,3268
     - We are testing DNS, RPC, LDAP and GC.  Do you see anything come back as filtered or not listening?
  - Do the same thing from Server 1 and compare the results.
  This sounds like a connectivity problem.
  Chris Ream

• Members of Domain Local Groups not showing up through net group command

  Hello,
  I am trying to get the list of members in a Domain Local Group using "NET GROUP" command, but unable to get the member list.
  I get the message "group not found", whereas members of Global Groups  are visible.
  Thank you in advance !

  Unfortunately your post is off topic here, in the TechNet Site Feedback forum, because it is not Feedback about the TechNet Website or Subscription. 
  This is only one forum among the many that are on the TechNet Discussion Forums, and given your post, you likely chose the wrong forum. 
  This is a standard response I’ve written up in advance to help many people (thousands, really.) who post their question in this forum in error, but please don’t ignore it. 
  The links I share below I’ve collected to help you get right where you need to go with your issue.
  For technical issues with Microsoft products that you would run into as an
  end user of those products, one great source of info and help is
  http://answers.microsoft.com, which has sections for Windows, Hotmail, Office, IE, and other products. Office related forums
  are also here: http://office.microsoft.com/en-us/support/contact-us-FX103894077.aspx
  For Technical issues with Microsoft products that you might have as an
  IT professional (like technical installation issues, or other IT issues), you should head to the TechNet Discussion forums at
  http://social.technet.microsoft.com/forums/en-us, and search for your product name.
  For issues with products you might have as a Developer (like how to talk to APIs, what version of software do what, or other developer issues), you should head to the
  MSDN discussion forums at http://social.msdn.microsoft.com/forums/en-us, and search for your product or issue.
  If you’re asking a question particularly about one of the Microsoft Dynamics products, a great place to start is here:
  http://community.dynamics.com/
  If you really think your issue is related to the subscription or the TechNet Website, and I screwed up, I apologize! 
  Please repost your question to the discussion forum and include much more detail about your problem, that could include screenshots of the issue (do not include subscription information or product keys in your screenshots!), and/or links to the problem
  you’re seeing. 
  If you really had no idea where to post this question but you still posted it here, you still shouldn’t have because we have
  a forum just for you!  It’s called the Where is the forum for…? forum and it’s here:
  http://social.msdn.microsoft.com/forums/en-us/whatforum/
  Moving to off topic. 
  Thanks
  MSDN and TechNet Subscriptions Support
  Did Microsoft call you out of the blue about your computer?
  No, they didn't.

• Is "Administrators" refer to domain group or local group?

  Windows Server 2008 R2 sp1
  using "Restricted Groups", i'm trying to add a domain group to be a member of all workstation's local admin group. i went and did that and use the "Member of" (so that i don't overwrite the existing local admin members) but before i hit
  on "Apply", it occurred to me, does the "Administrators" group refer to the domain group or the local group?

  > so i tried searching (instead of just typing it) for the
  > "Administrators" group and it gave below:
  As long as you do this on a domain controller, it will resolve to
  domain\administrators. If you do the same (or edit this GPO) on a
  member, it will resolve to computer\administrators.
  And if you VIEW the GPMC settings report, it will simply show
  "Builtin\Administrators".
  It's only a matter of search scope :)
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Managing membership of local group - Domain Local groups not permitted?

  Hi all
  I would like to populate the membership of the local Administrators group on certain member servers using the "Local users and groups" feature of GPP.  The object picker does not let me choose groups with Domain Local scope. 
  Does anyone know the reason for this?  Is there any workaround?
  I can add domain local groups to the membership of the Adminstrators group manually, so it seems strange I can't do it via GPO.
  Alexei

  > I would like to populate the membership of the local Administrators
  > group on certain member servers using the "Local users and groups"
  > feature of GPP.  The object picker does not let me choose groups with
  > Domain Local scope.
  I cannot confirm. I can add both DL and GG. What OS are you using? Here:
  Win 7 Enterprise 32 bit.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• How to apply Software Restriction policy for specific user in local group policy object ?

  I am working on implementing user based software restriction policy programmatically for local group policy object.
  If i create a policy through Domain Controller,i do have option for software restriction policy in user configuration but in local group policy editor i don't have option for that.
  When i look for the changes made by policy applied from Domain Controller in registry, they modifies registry values for specific users on path HKEY_USERS\(SID of User)\Softwares\Policies\Microsoft\Windows\Safer\Codeidentifiers
  They also have registry.pol stored in SYSvol folder in Domain Controller. When i make the same changes in registry to block any other application, application is getting blocked.
  I achieved what i wanted but is it right to modify registry values ?  
  PS:- I am using Igrouppolicyobject API

  I achieved what I wanted but is it right to modify registry values ?
  You also can modify a registry programmatically based policy. Check this:
  http://blogs.msdn.com/b/dsadsi/archive/2009/07/23/working-with-group-policy-objects-programmatically-simple-c-example-illustrating-how-to-modify-a-registry-based-policy.aspx
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Group Policy "Restricted Groups" (local groups) using group policy preferences

  I was recently tasked a solution with creating a group policy to manage RDP user access to a set of Active Directory computer objects.
  Part of the  solution was to create a policy so that this would only apply a specific security group(users) to a specific set of Active Directory computer objects within the OU to which it was applied so that other machines
  and/or user accounts in this OU remain un affected by this policy.
  The policy was to be able to include multiple sets of Security groups(users) for the associated machines isolating those security groups(users) to only their sets of Active Directory computer objects.
   Reduce the requirement to create multiple group policies to apply different "Local Group"/"Restricted groups" management for computer objects in the domain.
  I thouhgt about using System based policies and creating different WMI filters to target sets of AD Computer objects, but came to the conclusion this would not help due to the limited of WMI quries I would be able to create for a standard
  Image.
  So I then thought about group policy preferences and came up with the solution
  I created a new Group policy and created a new item for the local group, in this instance but not limited to "Remote Desktop users (built-in)" and added the security group(users).  In my case I did not need to use the "delete
  all member users" or "delete all member groups" as I wanted other groups in this local group for the computer objects to remain intact.
  Then what I did is set the "item-level-target" setting from "the common tab" on the GPP and set it to the security group which containd the AD computer objects the user accounts required access to.  I then did a couple of standard
  tests to confirm the local security group(users) appeared only on the machine in the item level target security group and applied to no other machines in the outside of SOM. 
  So with this in place, if I needed to create any other entries for different groups and access to specific machines all I need to do is create a new GPP item within this policy.
  Being mindful that system policies settings if applied to same OU will take preceedence over GPP settings.... 
  Thought I would just share this in-case anyone else has had similar requests/thoughts and or has other methods that they have used that they would like to share. 
  I am not sure either on the limit of entries that GPP have either so if anyone does know please post and possible links? 
  I have struggled to find an answer, however it could be that I am not asking the right question!

  good sharing...
  Best,
  Howtodo

• List Local Group members with PowerShell 5

  This script:
  $Server="."
  $LocalGroup = "Administrators"
  $Group= [ADSI]"WinNT://$Server/$LocalGroup,group"
  $Members = @($Group.psbase.Invoke("Members"))
  $Members | ForEach-Object {
      $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
  works fine in powershell 2 (windows 7), but fails on powershell 5
  "Error while invoking GetType. Could not find member."
  It returns only domain groups. No local groups or local users or domain users.
  Is there a reason why? And can it be modified for powershell 5?
  Thanks

  Try it like this:
  $group=[ADSI]"WinNT://$env:COMPUTERNAME/Administrators,group"
  $group.Members() |
  ForEach-Object {
  ($_.GetType()).InvokeMember('Name', 'GetProperty', $null, $_, $null)
  ¯\_(ツ)_/¯

• A member was added or deleted to a security-enabled local group. (4732 and 4733)

  Hi Team,
  We are getting below alerts continuously. it is specifying that user is adding and removing from security group. But it is happening automatically and we've checked no one is performing such operation. And we read on some site it happened on domain controller
  but also our share point farm server is not on domain controller. Please find the alert below and suggest what we should do so that we'll not get this alert again. Thanks in advance.
  A member was added to a security-enabled local group.
  Subject:
  Security ID:
   POSTEN\s-sharep_farm
  Account Name:
   S-ShareP_Farm
  Account Domain:
  POSTEN
  Logon ID:
   0x8a121
  Member:
  Security ID:
   NETWORK SERVICE
  Account Name:
  Group:
  Security ID:
   BUILTIN\IIS_IUSRS
  Group Name:
   IIS_IUSRS
  Group Domain:
   Builtin
  Additional Information:
  Privileges

  Hi Kamal,
  Per my knowledge, SharePoint does not have the function to audit the changes in domain groups.
  What is “From” email address of the alerts?
  Please check if you have configured Windows System Resource Manager to send e-mail notifications when an event is logged firstly.
  https://technet.microsoft.com/en-us/library/cc732728.aspx
  And it seems that the System Center Operations Manager(SCOM) can set the alert for auditing the changes to the local group membership.
  Please also check if you have installed SCOM and set rule to send the alerts in SCOM.
  http://blogs.technet.com/b/nzdse/archive/2009/11/10/audit-alert-scenarios-system-center-operations-manager-opsmgr-2007-r2.aspx
  Best regards.
  Thanks
  Victoria Xia
  TechNet Community Support

• Copy global group members to local groups

  I have an AD environment with a lot of global groups, all named G-FG-groupname and I would like to move (or copy) the members of these groups to already existing domain local groups with a similar groupname but
  with another prefix which is L-RG-groupname.
  Example, in which Testn can be replaced by any name.
  Members of domain global group G-FG-Test1 have to be moved or copied to domain local group L-RG-Test1
  Members of domain global group G-FG-Test2 have to be moved or copied to domain local group L-RG-Test2
  Members of domain global group G-FG-Test3 have to be moved or copied to domain local group L-RG-Test3
  etc..
  Many thanks!

  Hi Hoffer,
  as Mike already said, use the Searchbase parameter. Here's an example how it could look like in the previous script:
  # Import Module
  Import-Module ActiveDirectory
  # Get old Groups
  $GroupsOld = Get-ADGroup -Filter { name -like "G-FG-*" } -Properties Members -SearchBase "OU=OU TestOU,DC=intra,DC=netzwerker,DC=de"
  # Then for each group do ...
  foreach ($GroupOld in $GroupsOld)
  # Get the name of the new group
  $NewName = "L-RG-" + $GroupOld.Name.SubString(5)
  # Add Group Members
  Add-ADGroupMember -Identity $NewName -Members $GroupOld.Members -ErrorAction 'SilentlyContinue'
  # Remove Members from old group
  Remove-ADGroupMember -Identity $GroupOld -Members $GroupOld.Members -Confirm:$false
  Basically, use the Distinguished name of an Organizational Unit as the searchbase parameter.
  If you want to know the Distinguished Name of a given OU, you can either use the AD Console, or use this command (change the name as necessary):
  Get-ADOrganizationalUnit -filter { name -eq "OU TestOU" } | Select -ExpandProperty DistinguishedName
  Cheers,
  Fred
  There's no place like 127.0.0.1

• Create Local Group on Member Servers

  Guys,
  I have put together below script (thanks to everyone for posting great scripts). I have copied some part of the script from the forum examples.
  This script will take Input, create Domain group and add that domain group to the number of member servers listed in the text file.
  So far so good, my this script works fine. 
  Question - I need to add functionality in the script to create new local group on member servers using same variable and Add the Domain group (created using same variable) in the newly created local group on member servers.
  I also want to have an output file for the failed hosts. 
  Appreciate your help.
  ==============================================
  # input
  $Name = Read-Host "Write Policy Name"
  #Create Domain User Group
  NEW-ADGroup -Name ${Name}_UserGroup –groupscope Global -path "ou=Test,DC=Lab,DC=Local" -Description "${Name} Domain users Group"
  #Read Servers from the Text File
  $Servers = Get-Content c:\temp\${Name}_Servers.txt
  #Initialize the Domain Group Object 
  $DomainGroup = [ADSI]"WinNT://Lab.local/${Name}_usergroup,group"
  #Add Domain group to the local Remote Desktop Group on member servers
  ForEach ($Server in $Servers) #Loop through each server 
      #Get Local Group object 
      $LocalGroup = [ADSI]"WinNT://$Server/Remote Desktop Users,group" 
      #Assign DomainGroup to LocalGroup 
      $LocalGroup.Add($DomainGroup.Path)
  ==============================

  You don't need scripts to manage local groups.
  Group Policy can do this for you.
  -- Bill Stewart [Bill_Stewart]

• Is there a way to give a local user permission to add a local user using the local group policy editor?

  I need to find a way to have the local administrator of a Windows Server 2012 system grant a local user (non-administrator) the ability to add a user for the machine using the local group policy editor. The machine is not part of any Active Directory environment,
  this is strictly on the one machine.  In my situation it is not an option to just make the user an administrator. The idea is to give someone the right to add a user and have no other such administrative rights. I need to accomplish this using the
  Local Group Policy editor or the Group Policy Management Console if it is possible to do this outside of an active directory environment. This is not an assignment to learn how to use these tools and I am not even sure if it would even be possible though I
  need to either find a way or find proof that it is not possible using these applications.

  Hi,
  Sorry for the delay reply.
  So did you want to non-admin user have the ability to add another user?
  As far as i know, we cannot add the user if we have no local admin permission, we will receive the error"Access denied".
  Regards.
  Vivian Wang