Download the Local Group manipulation tool.
Joe Richards writes:
Lg - Local group manipulation tool. Create/Enumerate/Delete/set the comments of local groups locally or remotely in a domain or on a specific machine. Even add/remove members of the groups. This tool works in a slightly different way in that it pulls the SIDS of the security principals and adds those to the specific group. The reason I did this is so that you could add a group from the first domain into the machine of a second domain and then move that machine into the first and have that group membership be valid.
To put it more specifically, say you have a machine in Domain A and you want to put it into Domain B and gosh darn it you have the ability to do that through delegation or something. Well when the machine moves from Domain A to Domain B, Domain A Domain Admins are gone from the administrators group and Domain B domain admins are added. But wait, you aren't a Domain B Domain Admin!!! Unless you have a local ID on that box which is an administrator ID you are locked out from making any more changes. Not anymore, now you can pre-add the group you need say "OUAdmins of the Bob OU" from Domain B to the administrators group of the machine. The SID you added will be unknown until such a time that the machine is added to the new domain at which point it will work.
Note that the tool is not aware of OU's yet so you can't create a group in a specific OU or see what OU a group exists in but that is something that I am thinking about for a future version as I actually need that functionality myself. Right now groups created land in the Users container but you can manipulate groups in OU's no problem.
G:\Dev\cpp\LG>lg \\pro1\administrators LG V01.01.00cpp Joe Richards ([email protected]) August 2002 USER : PRO1\Administrator GROUP : JOEHOME\Domain Admins BI-GROUP: NT AUTHORITY\SYSTEM USER : JOEHOME\Administrator 4 members listed The command completed successfully. Update: V1.01.00 - Added -lu option to list users in groups when doing enumeration (. option) of all local groups on a domain or server. \[Version: 1.01.00, Date: 08/20/2002\] C:\>lg /? LG V01.01.00cpp Joe Richards ([email protected]) August 2002 Usage: LG Group SecPrin \[switches\] Group LocalGroup to work with Group can be specified in the following ways: o domain\localgroup o \\server\localgroup o localgroup If Group is specified as domain\. or \\server\. localgroups at that location are enumerated If Group is specified as . the localgroups on the local machine are enumerated SecPrin Security Principal to add/remove from group Switches: (designated by - or /) -add Add SecPrin to Group. -remove Remove SecPrin from Group -addgroup Add localgroup specified -removegroup Remove localgroup specified -r computer Specify computer to resolve SIDs. \[LOCALHOST\] -comment Display LG Comments -setcomment Set Comment for addgroup -lu List Users (only used for . enumerate option) Ex1: lg domain\. Enumerate localgroups on domain Ex2: lg domain\. -lu Enumerate all localgroups and members on domain Ex3: lg \\computer\. Enumerate localgroups on computer Ex4: lg . -comment Enumerate localgroups and comments on localhost Ex5: lg users Enumerates members of localgroup users on localhost Ex6: lg \\computer\bob -addgroup -setcomment "bobs group" Create bob localgroup on computer with comment Ex7: lg bob -setcomment "bobs group" Sets comment for localgroup bob on localhost Ex8: lg users joe doug louise /add Adds joe, doug, and louise to localgroup joe Ex9: lg \comp1users louise -add -r comp3 Adds SID resolved at comp3 for louise to localgroup joe on comp1 This software is Freeware. Use it as you wish at your own risk. If you have improvement ideas, bugs, or just wish to say Hi, I receive email 24x7 and read it in a semi-regular timeframe. You can usually find me at [email protected]