|Subject:||Re: Default Security Groups|
|Posted by:||jzow…@gmail.com (jzow…@gmail.com)|
|Date:||23 Feb 2007|
On Feb 21, 3:00 am, "Mike" <r.…@to.group> wrote:
> By default, the Domain Admins group is a member of the Administrators group
> on all computers that have joined a domain, including the domain
> Does anyone know how to change this default behaviour? Specifically we would
> like to add a second security group to the computers administrator group,
> based on which OU the computer was created prior to joining, without using
I had the same issue and finally found a good solution. We wanted our
helpdesk staff to be admins on all workstations and laptops but did
not want to make them domain admins. I used a start up script via
group policy. It's a relative easy way to do it. It will take about
10 minutes to implement And it insures that all it applies to all
PCs. It doesn't remove any existing uses from the local
administrators group. And best of all, if a user with admin rights
tries to remove IT staff from the local admins, the script ads them
back upon next restart.
1. Create a global security group called WorkstationAdmins and add
your IT staff into it.
2. Create a group policy to run a startup script [Computer
Configuration | Windows Settings | Scripts | Startup ]
3. This is the contents of the script. Give the script a name such
strComputer = "."
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
Set objUser = GetObject("WinNT://domain-name/WorkstationAdmins")
On Error Resume Next
On Error Goto 0
4. Link the policy to the OU(s) that contains your comptuers.
5. This will apply to all the computers in the linked OUs. It will
not apply to computers in the Computers Container since policies can't
be applied to it. The PCs have to be moved from there to an OU for
the policy to apply.
6. Restart your PCs twice it the group should be added.
Hope this helps.
Default Security Groups posted by Mike on Wed, 21 Feb 2007