Group Policy to give Domain Users Local Admin Rights?

Posted on 2006-03-24
Last Modified: 2010-05-18
Does anyone know of a way (through group policy or script but preferrably group policy) to make each computer give 'Domain Users' local administrator rights to the PC?

I know it is not the best practice, but at this point in time it is all we can do....
Question by:lttech
    LVL 33

    Expert Comment

    To use restricted groups:
    Open Active Directory Users and Computers.
    Browse to the OU that will contain the computer account objects
    Open "Properties"
    Select the Group Policy Tab
    Create a new Group Policy Object
    Edit the new object
    In the Group Policy MMC, browse to:
    Computer Configuration/Windows Settings/Security Settings/Restricted Groups
    Right-Click and choose "Add Group"
    The group name you enter will be the group that is restricted (Administrators)
    Select the group and choose the allowed members.
    Using Restricted Groups for the above example:

    Specify "Administrator", and your administration group to the Administrators restricted group settings

    Note: If you have renamed the administrator account, use the new name or the local built-in admin will be removed (as the names don't match)

    Note: This only works properly if all built-in administrator accounts of the machines in the OU have the same username. (You can use the administrator account rename feature in the GPO to make them all rename to the same value)

    LVL 33

    Expert Comment

    other link:  (basically the same instructions...using GPO)
    LVL 33

    Accepted Solution

    more info:

    Restricted GroupsTo locate this security setting in the console tree in Microsoft Management Console (MMC), see Computer Configuration\Windows Settings\Security Settings\Restricted Groups

    This security setting allows an administrator to define two properties for security-sensitive groups ("restricted" groups).

    The two properties are Members and Member Of. The Members list defines who belongs and who does not belong to the restricted group. The Member Of list specifies which other groups the restricted group belongs to.

    When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added.

    You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. In addition, the reverse membership configuration option ensures that each Restricted Group is a member of only those groups that are specified in the Member Of column.

    For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group.

    There are two ways to apply Restricted Groups policy:

    Define the policy in a security template, which will be applied during configuration on your local computer.
    Define the setting on a Group Policy object (GPO) directly, which means that the policy goes into effect with every refresh of policy. The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes.
    Default: None specified.


    If a Restricted Groups policy is defined and Group Policy is refreshed, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators.

    Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers.
    An empty Members list means that the restricted group has no members; an empty Member Of list means that the groups to which the restricted group belongs are not specified.

    LVL 48

    Expert Comment

    Hi NJComputerNetworks,

    with restricted groups in 2003 there is now the ability to "append" so that you dont lose whatever groups are already part of your local group

    i only learnt about this the other day from The Cleaner

    LVL 48

    Expert Comment

    Sory NJ meant to direct that to Ittech

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    It is a known fact that servers reach the end of their lives. Some get there quicker than others, based on age, manufacturer, usage and several other factors. However, if your organization has spent time deploying Microsoft's Active Directory server…
    I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now