A common problem in Windows domain management is the removing of Domain Admin group from Local Admin group by users. This operation prevent from the Domain Admin group to connect to Administrative shares (like c$), log on to user workstation/server, track on user activity and so on.
Using "Restrict Groups" option from Windows 2000/2003 GPO impose some solution for this problem, but if there local users on the workstation/server, this option inefficient, and may harm the workstation/server users.
Machine Script Solution:
By combine Windows 2000/2003 GPO and creating a machine script, we can get
A good Solution to this problem, and by avoiding the problems that "Restrict Groups" option from Windows 2000/2003 GPO create.
The script structure:
Script Name: Machine_Startup_Script.vbs (You can use any name that you like,
But you need to verify that the file name suffix end with
Operation Interval: Each machine startup or/and shutdown.
'Beginning Of the Script
On Error Resume Next
'get main objects/variables
Set ws = WScript.CreateObject ( "WScript.Shell" )
compname = ws.ExpandEnvironmentStrings ( "%COMPUTERNAME%" )
Set adGrp = GetObject ( "WinNT://" & compname & "/Administrators,group" )
'add domain groups to local admin group
adGrp.Add ( "WinNT://mywindowsdomain/Domain Admins,group" )
'End of the Script
mywindowsdomain = The NetBIOS name of the Domain that the user workstation log into.
Sentence that begin with " ' " use for a comment only.
After creating the script, we need add this script to Domain Default GPO – as
Computer startup or/and shutdown script and we done.
Windows 2000 Computer Startup Scripts:
Active Directory Services and Group Policy in Windows Server 2003:
Windows 2000 Group Policy: