How to Add AD user accounts or groups into the local Administrators group with GPO

2011/09/16 | By | 3 Replies More

How to use Restricted Groups?

( – or: How to Add AD user accounts or groups into the local Administrators group with GPO)

This article describes the feature “Restricted Groups” in Group Policy. This feature enables you – as the administrator – to configure group memberships on the client computers or member servers. You can add user accounts to groups on client machines that are in the scope of the policy.

As there are many questions about this in the newsgroups, I will come up with an example that shows how to put a group of Active Directory users into the local Administrators group on the clients.

For this article, I assume that you already created a global security group containing all users that shall become local Administrators on some client computers. In my example, the group is called “localAdmins”. The target (= client) computers reside in a specific OU.

If you’re using the Group Policy Editor, you navigate to the OU where the client computers reside and right-click it. Choose “Properties” and “Group Policy” where you create a new Policy and click “Edit”. You then navigate to:

Computer ConfigurationWindows SettingsSecurity Settings and then right-click “Restricted Groups” and choose “Add Group”.

You simply add the created group by clicking You simply add the created group by clicking “Browse..” or typing the group name into the box.

After clicking “OK”, another  window opens up, where you can find two boxes. The upper box, saying “Members of this group”, the lower one saying “This group is a member of”. In my case above I am adding a group called TechSupport.

If you added users or groups into the “Members of this group” box, you would advise the Restricted Groups feature to put the users and groups you selected into the localAdmins group. Restricted Groups would then replace the current members of the localAdmins group with the users and groups you filled into the box. Please understand that it replace them by wipeing existing users out of the local Admins group.

Since we do not want to add users or other groups to our existing group, but instead want to add a new  group to the local Administrators group on all of our clients, we have a look at the lower box – labeled “This group is member of”. We click “Add” and type in the name of the group that  we want  added to the localAdmins on each client. In this case, it’s “Administrators”. We then simply click “OK” and “Apply” and close all windows. “This group is member of” advices “Restricted Groups” to add our localAdmins group into the “Administrators” group of the clients. The existing group members will not be touched – it simply adds in this case  the TechSupport group to every clients local administrators group.

Tags: ,

Category: Uncategorized

Comments (3)

Trackback URL | Comments RSS Feed

  1. Sagun says:

    Using Restricted groups, how can I have user A be a local admin to computer A only. I have 20 users that need to be local admins on their machine and no other machine. Right now, our restricted group only has IT members (i.e. ITAdmins, ITBizSol) thanks,

  2. Really well written post, thanks!

Leave a Reply

%d bloggers like this: