Windows Server – Add ‘Workstation Administrators’ to Local Administrators Group on Domain Join

windows-server-2003workstation-management

Is there a good way to solve the following?

Domain has an AD security group called "Workstation Administrators", for users that should not be domain admins, but should have local administrative control over all workstations in the domain
Technicians frequently forget to manually add this group after joining a PC to the domain and wastes time later on having to diagnose, go back and do it

Anybody know an automatic way of adding this group, or running a script on domain-join? Or would we need to run an automated audit process every so often after the fact?

Best Answer

Create a Group Policy Object and link it to the topmost OU that has workstation accounts. Then configure the Restricted Groups settings to add "Workstation Administrators" to the local group "Administrators" (or whatever the name is in your locale).

How-to: Using Restricted Groups

Related Solutions

Can i have a ‘limited Administrator’ for the purposes of unlocking workstations

As already explained, you do not need a domain admin to 'unlock' a computer, the user is only required to be a local administrator.

The best solution i think here is to automatically log out users that are idle for a certain period.
EDIT:

It's not a straight forward GPO and requires a bit of a kludge with modifying the windows screensaver. Here's what you do:

Download the Windows Server 2003 Resource Kit Tools
Copy the Winexit.scr out of the resource kit to the %systemroot%\system32 directory on each workstation
Create a user GPO with the following settings: alt text http://img34.yfrog.com/img34/6015/mwsnap53020091124100617.jpg

- for screensaver executable name use:winexit.scr
- for screen saver time-out specify how log the idle time should be before logging out. This is in seconds.

Can’t add domain users to local groups on a server

I assume the server in question isn't a domain controller, in which case, have you checked its DNS settings?

They should be configured to use the same DNS server that your AD is using.

Can you perform an nslookup on your domain name from the server?

For example (assuming your DNS domain name is example.local)

h:\> nslookup example.local
Server dc1.example.local
Addresss: 1.2.3.4

Name:    example.local
Addresses:  1.2.3.4, 1.2.3.5, 1.2.3.6

It's worth checking, as in my experience, this type of error usually is down to DNS configuration being wrong somewhere along the line.

Best Answer

Related Solutions

Can i have a ‘limited Administrator’ for the purposes of unlocking workstations

Can’t add domain users to local groups on a server

Related Topic