How to use GPO to add domain admins as an administrator on all computers in the domain

Posted on 2006-11-21
Last Modified: 2010-04-18
In our domain, end users are administrators of their own machines.  Although it is forbidden, some users remove domain admins from the administrators groups.  Is there a GPO that I can impliment that will force the addition od domain admins to all computers in the domain, without removing the end users account from the administrator group on their local machine?
Question by:dmaxIT
  • 4
  • 3
LVL 83

Expert Comment

ID: 17989855
Yes, through a "Restricted Groups" policy.
Do NOT use the "Administrators" group and add "Domain Admins" to the "This group has the following members" field, though; that would add the domain admins, but at the same time remove the locally defined admins.
Instead, add the "Domain Admins" group, and use the "This group is a member of the following groups" setting, add the "Administrators" group there.
Try this in a test OU with a test machine first.

Author Comment

ID: 17989906
Where is that GPO located?
LVL 83

Expert Comment

ID: 17989952
Someplace under Computer Configuration\Windows Configuration\Security Settings, can't look it up a the moment, but it's not too hard to find.
And maybe of interest:

Description of Group Policy Restricted Groups

Updates to Restricted Groups ("Member of") behavior of user-defined local groups

Expert Comment

ID: 17989976
You could also create a computer startup script (applied with group policy to your computer OU) with the following syntax:

net localgroup administrators "domainName\Domain Admins" /add

This will add the Domain Admins group and leave everything else in the administrators group intact.

Hope this helps
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Author Comment

ID: 17990002
I am sorry that I am still not understanding this completely.  Currently, I have nothing in my restricted groups.  Do I add domain admins to the restrcted groups.  Will I then see the  "This group is a member of the following groups" setting?  Thanks for all of your help.
LVL 83

Expert Comment

ID: 17990055
Yes; right-click, choose "Add Group", enter "Domain Admins", add "Administrators" to the list "This group is a member of the following groups".

Author Comment

ID: 17990099
That worked for my 2000 machines, but my XP machines do not appear to be picking up the GPO?  Any ideas?
LVL 83

Accepted Solution

oBdA earned 250 total points
ID: 17990120
Do the XP machines have SP 2 installed? If not, check the second article I posted above.

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now