Make members of a group local administrators

Similar Messages

• Find workstations with specific group in local administrators group

  Hello,
  Is there a simple script that will search the workstations in a domain looking for the existence of a specific domain group nested in the local administrators group ?  Our desktop group can up with the idea of using domain groups nested in the local
  admin group to grant administrator privileges to specific computers.  They can list the members of the domain group easily but they have no easy way to know on what workstations they have added the group to.  Output I am looking for is simply a list
  of computers that have the specific group in the administrators group.   Any advice would be appreciated.
  Bobby

  Thisis donethrough Group Policy.  It is a special aspect of gP to set and mamintain groups on local machines.  You can protect a machine fromchanges and allow users to be added and removed.
  If you are just look ing to list tehcontents o a local group then get the module "Local Administration" in the Repository. It has all of the tools you need.
  You can also use WMI to retrieve Group memmbership.
  ¯\_(ツ)_/¯

• LDAP Query for particular user account in local Administrators group on All Enabled Computer Accounts

  Need to query on all enabled computer accounts that have a particular user account present in the local Administrators group.
  Ldap query is best, because not all our machines have SCCM client
  Thanks for any help you can provide. Lisa

  Ya, I have 41800+ computer accounts in my directory. I think that option is not feasible :) Thanks for your reply.
  I can use SCCM to do this too, but only for those that the client is running on and which are online. Thanks again.
  Hope is not all lost; a scripting solution is still possible.  The difference is instead of running a central script to pull info from all computers, you let the computers report back to you with the info.
  If I were you, I'd do the following:
  1) Create a file share and adjust the permissions so that "Domain Computers" have "Modify" Permissions.
  2) Create a script similar to the 2nd link I posted above, with a bit of adjustment:  at the end of the script, write the information to the file share created in (1), and name the file
  ComputerName.txt
  3) Use Group Policy Preference Scheduled Task to deploy the script, and make sure it only runs once.
  4) Happily wait for the results to come back :)
  The main benefit of this approach is you're not restricted by the computer connectivity at the moment you run the script.  This is especially true if you have many mobile computers in your environment.  Just wait for a reasonable time (they all need
  to come back to the mother ship once a while don't they?) and the results will show up in the file share you created.
  Cheers.

• Adding users in Local Administrators Group using GP Restricted Group

  Hi Experts.
  I have approx 200 servers. There are user1, user2 and user3 which I have added in
  Local Administrators Group using GP Restricted Group in all 200 servers. This works fine. In Add Group option I added "Administrator" and Added user1, user2 and user3 in "Members of this Group". Now all 3 users are reflected as a Local
  Administrators member.
  Now there is a need that user 4 should be in Local Administrators Group using GP Restricted Group for certain servers only. Lets say 50.
  In Add Group option I added "Administrator" and Added user4 in "Members of this Group". BUT it doesn't work.
  Any idea?
  Regards Suman B. Singh

  Hi,
  How is it going? I agree with Martin. To do this, we can configure the setting in two different GPOs. For instance, in GPO1, we add user1, user2, and user3 to the local admin group; in GPO2, we add user1, user2, user3, and user4 to the local admin group;
  and then we can use Security Filtering to apply the specific GPOs to specific computers.
  Regarding security filtering, the following article can be referred to for more information.
  Security filtering using GPMC
  https://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
  Filter Using Security Groups
  https://technet.microsoft.com/en-us/library/cc752992.aspx
  Besides, in addition to Restricted Groups, we can also use Group Policy Preferences Local Users and Groups to do this, in which way we can configure two Local Group items in one GPO and utilize Item-Level Targeting to apply the specific items to specific
  computers.
  Regarding GPP Local Users and Groups, the following article can be referred to for more information.
  Configure a Local Group Item
  https://technet.microsoft.com/en-us/library/cc732525.aspx
  How to use Group Policy Preferences to Secure Local Administrator Groups
  http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
  Regarding Item-Level Targeting, the following article can be referred to for more information.
  Preference Item-Level Targeting
  https://msdn.microsoft.com/en-us/library/cc733022.aspx
  Best regards,
  Frank Shen

• VBS: Add domain user and group to local administrators

  I have a piece of VBS code that I have modified that basically adds a specified domain user and group to the PCs local Administrators group. It works on Windows 7, but not on Windows 8 at all.
  Call AddUserToGroup("./Administrators", "myDomain.net/NetworkAdminis")
  Call AddUserToGroup("./Administrators", "myDomain.net/Domain Admins")
  Call addDomainUser("myDomain", "myUserGroup")
  Sub AddUserToGroup(local, domain)
  Dim objLocalGroup
  Dim objDomainGroup
  Dim server
  For Each server in servers
  Set objLocalGroup = GetObject("WinNT://" & local & ",group")
  Set objDomainGroup = GetObject("WinNT://" & domain & ",group")
  With objLocalGroup
  .Add(objDomainGroup.AdsPath)
  .SetInfo
  End With
  Next
  Set objLocalGroup = Nothing
  Set objDomainGroup = Nothing
  End Sub
  Sub addDomainUser(strDomain, strUser)
  Dim strComputer
  Dim objWshNet
  Dim objGroup
  Dim objUser
  Set objWshNet = CreateObject("WScript.Network")
  strComputer = objWshNet.ComputerName
  Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group")
  Set objUser = GetObject("WinNT://" & strDomain & "/" & strUser & ",user")
  If Not objGroup.IsMember(objUser.ADsPath) Then
  objGroup.Add (objUser.ADsPath)
  End If
  Set objWshNet = Nothing
  Set objGroup = Nothing
  Set objUser = Nothing
  End Sub
  I have debugged the code line by line using VBA's IDE and there seems to be no error condition firing. It executes all lines, but it is not adding the users and groups as it did with Windows 7 and below. The script is being run as local administrator.

  Hi,
  The first step is to comment out your On Error Resume Next line and try again.
  Don't retire TechNet! -
  (Don't give up yet - 13,225+ strong and growing)

• How to find out when was local administrators group changed

  Hi
  Is there any way how to find out when was user added to local administrators group on server(2003 to 2012) ?

  Hi,
  If you have auditing enabled for "Audit account management" and your security logs are not overwritten then you can look for a 4732 or 636 (Windows 2003) event ids.
  https://technet.microsoft.com/en-us/library/cc737542(v=ws.10).aspx
  https://technet.microsoft.com/en-us/library/dd772663(v=ws.10).aspx
  Hope it helps.
  Regards,
  Calin

• Check to see if I am in the local administrators group

  I am trying to check if I am in the local administrators group with this PowerShell script:
  $wp=new-object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())
  if ($wp.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)){
  Write-Host "You have local administrator privileges"
  }else{
  Write-Host "You DO NOT have local administrator privileges"
  But it always returns that I DO NOT have administrator priviileges even though when I manage the computer I see that my user account is in the local administrators group. I have a feeling that this is checking to see if I am in the domain administrators
  group but I am new enough to administration with powershell I am not sure. Anyone care to share some hints?
  Thank you.
  Kevin
  Kevin Burton

  This is from another thread.  Run it to see what happens:
  $wp=new-object System.Security.Principal.WindowsPrincipal([System.Security.Principal.WindowsIdentity]::GetCurrent())
  if ($wp.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)){
  $host.UI.RawUI.WindowTitle=$myInvocation.MyCommand.Definition + '(Elevated)'
  $host.UI.RawUI.BackgroundColor='DarkBlue'
  }else{
  $p=new-object System.Diagnostics.ProcessStartInfo('PowerShell')
  $p.Arguments = $myInvocation.MyCommand.Definition
  $p.Verb='runas'
  [System.Diagnostics.Process]::Start($p)
  exit
  # Run your code that needs to be elevated here
  Write-Host -NoNewLine 'Press any key to continue...'
  $host.UI.RawUI.FlushInputBuffer()
  $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown')
  ¯\_(ツ)_/¯

• Add Windows 7 local administrators group to another local group

  So I have the local group MyLocalGroup and I need to add the local Administrators group as member of MyLocalGroup
  I'm working with Windows 7 Professional with Windows Management 4
  I have tried:
  [ADSI]$LocalAdmonistratorGroup="WinNT://$Env:COMPUTERNAME/Administrators,Group"
  [ADSI]$MyUsersGroup="WinNT://$Env:COMPUTERNAME/MYLOCALGROUP,Group"
  $MyUsersGroup.Add($LocalAdmonistratorGroup.Path)
  Exception calling "Add" with "1" argument(s): "A member could not be added to or removed from the local group because the member does not exist."
  BUT:
  $LocalAdmonistratorGroup.Add($MyUsersGroup.Path)
  It's work! And MyLocalGroup is member of administrator.
  I have made some test and:
  1. A user can be added to any local group (ok)
  2. A local group can be member of any local group (ok)
  3. A group or a user can be added to local Administrators group
  4. If I try to add local administrators group as member of any other local group I receive the error!
  How I can add the Local Administrators group as member of another local group using PowerShell (with interface work)?
  Thanks,
  Lorenzo Soncini
  LSo Lorenzo Soncini Trento TN - Italy

  Hi Lorenzo,
  Nesting local groups (add a local group to the group membership of another local group on the same client )is not recommended.
  Refer to:
  Nesting of local groups is not supported on workstations or member servers
  If we execute this operation via Computer Management Interface, it will produce error.
  Some group authoring tools can add local Group To local Built-in Groups, however, our suggestion is to never nest local groups even when it is allowed by a group authoring tool like “net local group” because such nesting doesn’t reflect the group expansion
  constraints and the end results would be different from the expected results.”
  Refer to:
  Nested User Groups (Groups in Groups) / Built-in Local Groups Issue
  If there is anything else regarding this issue, please feel free to post back.
  If you have any feedback on our support, please click here.
  Best Regards,
  Anna Wang
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• What is the difference between using the command "dsmgmt" and the "Managed By" tab when adding users to the local administrators Account on a Read-Only Domain Controller?

  When I use the
  "dsmgmt" command to add a user to the local administrators account of a RODC I can actually see the user when I use the "Show Role Administrators" parameter. However, I can't see the members of the
  group added to the "Managed By" tab of the RODC object in AD. Even though, the users added using
  "dsmgmt" and by the "Managed By" tab can all log in locally and have admin rights to the RODC. Are there any differences between these two ways of adding users to the local administrators account? 

  Hi,
  For groups, managedBy is an administrative convenience to designate “group admins”. Whatever principal listed in
  managedBy gets permission to update a group’s membership (the actual security is updated on the group’s AD object to allow this).
  In Win2008 and later managedBy also became the way you delegated local administration on an RODC, allowing branch admins to install patches, manage shares, etc. (http://technet.microsoft.com/en-us/library/cc755310(WS.10).aspx). 
  On the RODC, this is updating the RepairAdmin registry value within RODCRoles.
  So the difference between them should be only the way they do the same thing.
  For more details, please refer to the below article:
  http://blogs.technet.com/b/askds/archive/2011/06/24/friday-mail-sack-wahoo-edition.aspx
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Can ZAM capture local Administrators from client?

  Hi, my first time posting here. My organization uses Zenworks 11 SP1 (ZCM and ZAM). Can ZAM be configured to capture members of the local administrators group off of the client? Our client machines are Windows XP SP3, and local administrators can be found at My Computer-Manage-Local Users and Groups-Groups-Administrators on the client.
  Our client services guys know ZAM much better than I do and they have never been able to find how to do this. I'm writing a custom app that needs requires this data. We have a workaround process in place, but it's a little clunky and it would really be ideal if we had a way to just capture this directly into ZAM since the large majority of the other data I need is already coming from ZAM. Was just wondering if any Zenworks gurus out there could shed a little light. Thank you in advance for any replies.

  Chris,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Prevent local administrators from opting out of Microsoft Updates / accessing Windows Update "Change settings" page

  Hello,
  Is there a a group policy setting / dll file / registry setting that I can restrict access to that would either:
  A) prevent local administrators from unchecking the "Give me updates for other Microsoft products when I update Windows" box?
  or
  B) prevent access to the "Change settings" option on the left side of Windows Update?
  Thanks!

  > referring to the "Remove access to use all Windows Update features"
  Yes.
  > enabling this group policy setting would disable Windows Update and
  No. It removes access to windows update, not windows update itself. If
  you enable it, you have to make sure that windows update is properly
  configured:
  http://gpsearch.azurewebsites.net/#2791
  >
  https://technet.microsoft.com/en-us/library/bb490846.aspx). This is not
  This article is - hum - somewhat outdated :)
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Restrict Local Administrators from change Network property

  In my office Environment we are using Development machines on which every developer has Local Administrator rights on there system. We are using 2 Internet lines in which one line is fast speed and another one is slow one, due to slow internet speed on
  second line some peoples manually change the Gateway IP and switch from slow to Fast one, to stop this we need to restrict those users from changing IP on windows 7. Only domain Administrator can able to change that Setting. we are using Window Server 2008
  R2 as ADDS. is there any way to stop this using domain group Policy? or Local security policy?

  Hi Siddheshrsawant,
  Sorry, we can’t restrict local administrators from changing network property via Group Policy, and this is by design.
  For confirmation, the following thread also focused on the similar issue and can be referred to for information.
  Unable to lock down Network Connections settings with Group Policy
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/32045ab3-0496-4f5e-b2c2-71ba0f2ed073/unable-to-lock-down-network-connections-settings-with-group-policy?forum=winserverGP
  Best regards,
  Frank Shen

• Can not add members to a Group as Group Administrator

  Hi,
  My collegue has created a Group 'WE_PM_group' and added me to that Group with role 'Group Administrator'.
  But when I connect to the 'Create Group Or Add New Members' tool, then after SSO and acknowledging the 'read and understood Beehive Online Guidelines', it does not show the 'WE_PM_group' (it shows no Groups) and I can only Create a group.
  My question : how can I add members to the Group that my collegue created and for which I am Group Administrator ?
  Note : When I connect to the BeehiveOnline Administration Tool, I indeed see my e-mail address within the Group 'WE_PM_group' and with the correct role (Group Administrator)
  Thanks for your help,
  Peter

  If you go to the APEX app and have any group - like your Administrator - you will have a list of group - each of them is a hyperlink. Click on the group and the Group settings will be displayed - one of the fields is the Manager email. Get him/her to puit your email in that field, separated by a comma, and you are good to go.
  Phil

• How can I set up an SMS group so that all group members can dial a group number and have a text sent out to all members of the group

  How can I set up an SMS group so that all group members can dial a group number and have a text sent out to all members of the group
  This would be an SMS group similar to an email listserv but running on the SMS network
  I have seen private individuals offering this service
  It seems strange to me that no internet site like Apple, Yahoo or Google offers this as a free service much as the email group services are free services.
  Steve

  I think the app GroupMe might do what you want. You might also try contacting your carrier. My carrier offered some fancy group texting service for a while but they never really advertised it so, unless you asked, you never would have known. But, GroupMe is available in the app store. There are lots of other apps that also do group texting but it seems to be the one that gets recommended the most.

• How can I query all the members of a group using querbuilder?  I cannot find any related properties

  How can I query all the members of a group using querbuilder?  I cannot find any related properties describing members under /home/groups/s/sample_group in jcr repository.

  Hi,
  FieldPoint Explorer is no longer used to configure FieldPoint systems. However, I do not think that the configuring your system in FieldPoint Explorer is causing the error.
  FieldPoint systems are now setup in Measurement and Automation Explorer (MAX).  Information on setting up FieldPoint systems in MAX can be found in the MAX help under: Installed Products>> FieldPoint. Also, I recommend upgrading to the latest FieldPoint driver and version of MAX.  The FieldPoint VI's will be slightly different when you upgrade, so there is a good chance that this will eliminate the error.
  Regards,
  Hal L.