In a Microsoft Windows server domain, in this case a Windows 2003 Server, Windows Server 2003 Enterprise and Windows 2000 Server, Windows 2000 Advanced Server mixed mode environment, there was a need to create a local administrators group, add members to that group, and give those users administrator access to either workstations or servers. Using a Group Policy Object (GPO), either a script may be executed or configure a Restricted Group policy.
Restricted Group Policy Example
The benefit of this design is a simpler configuration and will take effect each Group Policy refresh (which would be each day or reboot as this is a Computer policy). In this example, the builtin\administrators group will contain only the domain administrators, local administrators, and administrator.
Visual Basic Script (VBS) Example
The following script may be saved as LocalAdmin.vbs. The benefit of this script is that it is loaded each time the user logs into the domain.
StrComputer = "." Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators,group") Domain = "DOMAINNAMEHERE" 'Sets the string varaible to the domain If Not objGroup.IsMember("WinNT://"& Domain & "/" & "localadmins") Then objGroup.Add("WinNT://"& Domain & "/" & "localadmins") If Not objGroup.IsMember("WinNT://"& Domain & "/" & "domain admins") Then objGroup.Add("WinNT://"& Domain & "/" & "domain admins")
The Restricted Group Policy will reset the Local Administrators group upon each GP refresh. Any other account will be removed. The script appends changes to the Local Administrators group. If the specific account is not targeted, it will not be effected.