Nothing can irritate me more than seeing a littering of user accounts in the local group inventories on a server. The Remote Desktop Users, Power Users, and Administrators local groups can be restricted groups for servers depending on many situations. I don't have an issue with the permissions assigned; let's face it--we all need to do our jobs. The issue is how we get there.
Here are a few ways Windows administrators can drop in group memberships via script. The first one is for the old-school net command administrator in all of us:
net localgroup Administrators /Add RWVDEV\SelectAdminsIn the example, the Administrators local group has the domain group RWVDEV\SelectAdmins added to its inventory. You can go the PowerShell route as well for the same command and introduce the option to perform the task on a remote computer:
$computerName = 'baselinews2k3-2.rwvdev.intra'
$userName = 'SelectAdmins'
$localGroupName = 'Administrators'
$domainName = 'RWVDEV'
if ($computerName -eq "") {$computerName = "$env:computername"}
[string]$domainName = ([ADSI]'').name
([ADSI]"WinNT://$computerName/$localGroupName,group").
Add("WinNT://RWVDEV/$userName")
Write-Host "User $domainName\$userName is now member of local group
$localGroupName on $computerName." Note: This PowerShell script was adapted from this PowerShell.com post.This script will perform the same task and can be pushed to a remote computer (in this example, it was sent to the baselinews2k3-2 server). Also, the $userName variable can be a group name instead of an explicit user.
In addition, Group Policy can manage restricted group membership and push to domain computers via Group Policy Objects (GPOs). But, inevitably, there are scenarios where you may need to manage individual systems in lieu of creating GPOs.
If you have other ways of managing membership via scripts, let us know in the discussion.