I've had to do this a couple of times, but chose a different solution for most of my customers, since they didn't really want to download and execute another tool when running a startup script on their computers. While resolving the SID is certainly the most exact solution, my approach has worked reliably in the past - but you don't get around knowing the group names on your clients: basically the script uses an array of potential administrator group names to be found on clients, then works through them. You'll supply the most appropriate for the region up front in the list.
I've included the appropriate bits of the VB script below. And as most customers have deployed a naming convention for their computers that relates in one way or another to the location which is to manage the client, the script derives the name of the group to add to the local admin group from the computername (e.g. for client called LGER0815001 => group to add would be ADM_GER0815_AdminClient) let me know if you want the whole script. /Guido 'set list of potential names for local administrator group sLocalAdminGroupNames = "Administratoren,Administrators,Administrateurs" arrLocalAdminGroupNames = Split(sLocalAdminGroupNames,",") 'get computername and check AdminClient groupname to use Set oNet = CreateObject("WScript.Network") sCurCompName = oNet.ComputerName If bVerbose Then Log("CurrentComputer: " & sCurCompName) sCurCompHomeSite = Mid(sCurCompName,2,7) If bVerbose Then Log("HomeSite: " & sCurCompHomeSite) 'create appropriate group-name sGroupMemberLocation = "ADM_"& sCurCompHomeSite & "_AdminClient" Log("AdminClient group for Location: " & sDomainName &"\"& sGroupMemberLocation) 'adding group to local administrator group For R = 0 To UBound(arrLocalAdminGroupNames) sLocalAdminGroupName = arrLocalAdminGroupNames(R) On Error Resume Next Set oAdminGroup = GetObject("WinNT://"& sCurCompName &"/"&sLocalAdminGroupName) If not(lcase(oAdminGroup.name) = lcase(sLocalAdminGroupName)) Then 'wrong groupname bFoundAdminGroup = False If bVerbose Then Log(" can't find " & sLocalAdminGroupName) Else 'continue with adding group bFoundAdminGroup = True If bVerbose Then Log(" found " & sLocalAdminGroupName) 'adding domain-groupmember to local group on client Log("adding '"&sDomainName&"\"&sGroupMemberLocation&"' to local admin group") oAdminGroup.Add "WinNT://"& sDomainName &"/"& sGroupMemberLocation &"" CheckError Exit For End If Next 'Loop through list of admin groupnames If Not bFoundAdminGroup Then Log("can't find a matching name for local Admingroup...") -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Montag, 10. Oktober 2005 10:08 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Adding local admin rights to non english native o s? Thanks for the replies guys Joe, converting the administrator wellknown sid to user seems like a great idea - but then involves copying the .exe into the local machines first and executing it? Havent work out how to do it without copying the sid converter program...if so would have to copy it from the netlogon? For some reason I've done like below but just aint working out :( perhaps some variables like set L is not avail yet on startup? for /F "tokens=2 delims==" %%i IN ('set l') do set gpodcname=%%i if not exist %systemroot%\system32\sid2user.exe copy \\%gpodcname%\netlogon\sid2user.exe %systemroot%\system32\sid2user.exe for /F "tokens=3" %%i IN ('sid2user 5 32 544 ^|qgrep Name') do set gpoadminvar=%%i net localgroup %gpoadminvar% /add "domain\OUAdmins" Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp -----Original Message----- From: Brian Desmond [mailto:[EMAIL PROTECTED] Sent: Saturday, October 08, 2005 9:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? In 9 years of Spanish, I didn't learn Administrator in Spanish. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 07, 2005 9:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? Better make that "Powerum Tripum Maximum" or else Laura might get on your about only representing the masculine gender. :o) I knew 3 years of Latin would eventually come in useful. ;o) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, October 07, 2005 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? "Powerus Tripus Maximus" ? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Friday, October 07, 2005 2:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? What is "Administrators" in Latin? Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!(tm) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 07, 2005 11:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding local admin rights to non english native os? This is when your high school language classes come in handy. You will need to know what "administrators" translates to in the target language. For example, in German, it's "administratoren", so your code will look like this: net localgroup administratoren blah blah blah HTH Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Freddy HARTONO Sent: Fri 10/7/2005 8:51 AM To: 'activedir@mail.activedir.org' Subject: [ActiveDir] Adding local admin rights to non english native os? Hi all, Usually net localgroup administrators xxx /add would work fine on computer startup gpo - but how about on non english native oses? Would this work as well? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9740 - temp List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/