Archived from groups: microsoft.public.win2000.security (
More info?)
Aside from the startup script option, which is a good alternative
(but it runs at each startup when one time would be sufficient for
an initial membership addition) one may also use a restricted
group definition, as you subject implies, if set in a GPO linked
to an OU that has those machines in its scope. Be aware that a
restricted group definition must state the complete and total
membership of the group being restricted, and, if use is made
of the member-of part (in addition to the members-in part) then
that must also state the complete and total memberships for
the group being restricted. In your case, you would need to
name the new domain account, the unadorned Administrator
account (the machine local one on each affected machine),
the Domain Admins group, and any other principals that need
to be in each and every impacted machine's local Administrators
group. It is convenient to use the polcy setting to rename the
built-in Administrators group in the same GPO so that you
have assurance that it is renamed the same way on all the
impacted machines.
--
Roger Abell
Microsoft MVP (Windows Security)
"Asif Razzaq Attari" <AsifRazzaqAttari@discussions.microsoft.com> wrote in
message news:7A17BB11-DDF2-47DA-A7DF-70C114A3F819@microsoft.com...
> I want to add a user named 'NewAdmin' into workstation's Administrators
> groups (Local Group) in about 50 workstations. How is it possible?
> --
> I like Microsoft Newsgroups, Which provides to help me.
>
> Thanks to Microsoft