Can I add domain groups to the local admin group through group policy?
I administer 1,200+ desktop computers running Win XP Pro. I want to know if there is a way to add domain groups to the local administrators group through group policy. I figured out how to manually add the groups to the local computer, but with hundreds of systems this can take weeks. FYI, we are running SMS and I noticed that it has added itself to the local admin group. The reason for this is there are several software programs that need local administrator rights in order to function properly. On any given computer, there are several dozen users that use the computer, and to add each user locally as a local admin is not a suitable option. As for security, we are running software called Deep Freeze. This software removes any changes and software added to the system when restarted.
Yes, there is a way. Create a Group Policy Object (GPO) that runs a WMI script as a logon script. The WMI script would then add the domain group to the local Administrators group. For examples of WMI scripts that you can use to create your own, see the TechNet Script Center at http://www.microsoft.com/technet/scriptcenter/default.asp
This was first published in January 2004