Rem: Add Groups to Servers Simultaneously

I'm organizing a number of servers by arranging them in organizational units (OUs) by server roles (e.g., application server, file server). When I bring each server into its OU, I need to add an appropriate group, which I've named after the server role (e.g., AppAdmins, FileAdmins), to the local Administrators group. I also want to add an overall ServerAdmins group to the local Administrators group on each server. How can I automate this task?

You can use a computer startup script to add any group (or user account) to the local Administrators group on each server. Here are the steps to take:

1. Create a Group Policy Object (GPO) in each OU.
2. In the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, add the Startup.bat startup script, which Listing 2 shows, to the GPO you created in each OU. Then, add the group names to the Script Parameters text box in the Add a Script dialog box. (If you're unfamiliar with how to add scripts and their parameters to GPOs, see the Web-exclusive sidebar "Adding Startup Scripts to GPOs," http://www.winnetmag.com/windowsscripting, InstantDoc ID 27330.) Although you can add as many groups as you want, the script's Net Localgroup command limits you to names with 20 or fewer characters. If you have a group name with embedded spaces, you need to enclose that argument in double quotes (e.g., "App Admins"). If you have groups from multiple domains, you need to preface the account names with the domain (e.g., "Acct\App Admins", Sales\ServerAdmins).
3. When each machine in the OU reboots, Startup.bat's Shift command pulls in each group name you entered in the Script Parameters text box and the Net Localgroup command adds that group to the appropriate local Administrators group. Note that startup scripts run only when the computer starts up. Consequently, any servers currently in the OUs or that you move into the OUs won't have the groups pushed in until the next reboot.