Group Policy / local administrator advice req please

[DavrosDalek]

Hi
I have a requirement to add a single user to the local admins on all client machines. Adding this user as part of Domain Admins will not do the job, it must be added itself.

I would like to add this account to the local admins on all pcs using group policies in the Active Directory but i can't find out where i should do it.

Can one of you chaps point me in the right direction please ?

Cheers
Craig

 

[primate]

AFAIK there isn't a way to do this - GPO's set through AD affect settings relating to the domain and since the Local Administrators group on a machine is not a member of the domain you can't enforce membership on it from a domain based GPO. Might be wrong though....

 

[kmcferrin]

Sounds right to me. You can probably write a script that will connect to each machine on a list and add that user to the local admins.

My personal thought is to add a new domain group to the Local Admins group on each PC. That way if you ever have to do this again you can just add the user to the domain group, or if you need to remove the user from Local Admins group later on you can just remove them from the new domain group.

My domain has groups for Local Admin and Local Power User that are members of the matching groups on each PC. I find that it saves a lot of time.