Home / server / Questions / 48663
Accepted
Brandon
Asked: 2009-08-01 11:09:46 +0800 CST

Add a "Workstation Administrators" to local Administrators group on domain join

  • 772

Is there a good way to solve the following?

  • Domain has an AD security group called "Workstation Administrators", for users that should not be domain admins, but should have local administrative control over all workstations in the domain
  • Technicians frequently forget to manually add this group after joining a PC to the domain and wastes time later on having to diagnose, go back and do it

Anybody know an automatic way of adding this group, or running a script on domain-join? Or would we need to run an automated audit process every so often after the fact?

windows-server-2003 workstation-management

2 Answers

  1. Best Answer

    Create a Group Policy Object and link it to the topmost OU that has workstation accounts. Then configure the Restricted Groups settings to add "Workstation Administrators" to the local group "Administrators" (or whatever the name is in your locale).

    How-to: Using Restricted Groups

    • 10

  2. If Restricted Groups is too restrictive, or you are unable to utilise Group Policy Client-side Extensions, you can use a VBScript assigned as a GPO computer startup script linked to the relevant OU/s.

    See KB555026.

    • 2