Add Domain Group to Local Administrators Group thru policy without replacing those already established.

Our AD consists of about 20 groups where our different departments are not allowed to log onto other department/users computers.  Example, bob is allowed to log onto his own computer and franks, but frank is not allowed into bobs.  We have added a PCAdministrator Global Security Group and have added Jim to the group.  We want this group to be added to all of the computers local administrators group but not the domain administrators group.
We understand that the script to do this will work but is full of security holes and the person logging in must be a local admin to have it actually run.

NET localgroup Administrators /add "Domain"\PCAdministrator

The Restricted Group method works great but will actually replace any local admins already in place.  Since there are to many computers to go around to individually to add the PCAdministors group to even thru computer managment, we are figuring there must be a different /better method.  Also the Restricted Group method added the PCAdministrator to the AD Builtin Administrators group...this is definitely not good.

Any help is greatly appreciated.

Who is Participating?
Please look at my profile.  I wouldn't suggest to anyone to do something I wasn't sure of in a production network.

The most common method of using Restricted Groups is the "first way" in my last post.  The other (less known or used method) is the one you want.

You can test it easily by creating a test OU, moving a PC into it and creating a simple GPO that is linked to this OU that uses Restricted Groups as I instructed above.

You should see that only your PCAdministrator group is added, nothing is removed.

Actually, you can use Restricted groups to add to a group instead of replacing.

Right-click Restricted Groups
Select Add Group.
Browse to your PCAdministrator Group
On the next screen, Select Add under "This group is a member of"
Type in Administrators manually.
OK your way out.

This will only add the Domain group to the local Administrators group, it won't replace anything already there.
With respect to making sure it does NOT add your group to the AD Admin group, make sure you link the policy on an OU where the PCs live (not the Computer container) so that it does not apply to the servers.

If this isn't possible, then on the Security tab of the policy find the entry for Domain Controllers and check Apply Group Policy under DENY.

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

brian_appliedcpuAuthor Commented:
OK, but that does not resolve the issue where it will delete any administrators previously added.

The method I described does not remove any other members from the Administrators local group - whatever is in that group will remain.

There are two ways to use Restricted Groups - one way replaces the members of a group with those you choose and then enforces that list.

The other way is how I described above.  It will add a group WITHOUT removing anything already there.

I see nothing in your post stating you want to remove certain entries - is there more to what you are trying to do?

brian_appliedcpuAuthor Commented:
I just noticed other postings that said entries in the Local Users and Groups Administrators Group would be removed and I did not want to just experiment and mess up around 80 pcs.


brian_appliedcpuAuthor Commented:
That is exactly what I did to test and all is fine.
Thanks for your assistance.

Super!  Glad to help.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.