Local Admin groups
My question is this when we image our machines they are on a different subnet then our working network. When we are done with the imaging we add the computer to the same subnet as the other computers are then we join it to the domain. How can we add a local admin that is part of the working network when we have not yet joined the system to the domain but when we do add it to the domain it shows up? I have already tried adding the Administrators1=DOMAIN\GROUPNAME in the customsettings.in file then after it was imaged joined the machine to the domain but did not see our group show up. Am I doing something wrong?
I'm not sure what your asking, is the local admin a default local admin, a local account you've created , or a domain user or group.
It looks like you are trying to add a domain group to the local admins group. If you are on a subnet that cannot communicate with the rest of the network when you image the machine, then it cannot get the information to add the domain group.
Look at setting the local admin group via group policy then when you join the domain the group will show up as part of the group policies.
Using Restricted Groups
Well from what I have been hearing it cannot be done. Basically what I wanted to do is we have a local admin group that we put on every machine we image. Our imaging is done on a separate network, and then after the imaging is done we join it to the working network and add it to the domain. What I was hoping to insert some sort of command into to our imaging solution that would once joined to the domain would add this local admin group to every pc we image and then join to the domain.
But I think the best way to do this is to just push it down through Group policy when we join it to the network
we've done something similar although we haven't changed subnets. join the machine to the domain, add the group and disconnect it from the domain. make all of your changes and take an image. when a pc with this image is joined to the domain it still has the local admins group that had been added.
You can't add an account which isn't in a 'trusted' domain to a computer.
you could use GPP to do it though? In the working domain you can add a GPP policy to alter groups on the local machine and add network/domain accounts to this