How to use GPO to add domain admins as an administrator on all computers in the domain

Posted on 2006-11-21
Medium Priority
Last Modified: 2010-04-18
In our domain, end users are administrators of their own machines.  Although it is forbidden, some users remove domain admins from the administrators groups.  Is there a GPO that I can impliment that will force the addition od domain admins to all computers in the domain, without removing the end users account from the administrator group on their local machine?
Question by:dmaxIT
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 85

Expert Comment

ID: 17989855
Yes, through a "Restricted Groups" policy.
Do NOT use the "Administrators" group and add "Domain Admins" to the "This group has the following members" field, though; that would add the domain admins, but at the same time remove the locally defined admins.
Instead, add the "Domain Admins" group, and use the "This group is a member of the following groups" setting, add the "Administrators" group there.
Try this in a test OU with a test machine first.

Author Comment

ID: 17989906
Where is that GPO located?
LVL 85

Expert Comment

ID: 17989952
Someplace under Computer Configuration\Windows Configuration\Security Settings, can't look it up a the moment, but it's not too hard to find.
And maybe of interest:

Description of Group Policy Restricted Groups

Updates to Restricted Groups ("Member of") behavior of user-defined local groups
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI


Expert Comment

ID: 17989976
You could also create a computer startup script (applied with group policy to your computer OU) with the following syntax:

net localgroup administrators "domainName\Domain Admins" /add

This will add the Domain Admins group and leave everything else in the administrators group intact.

Hope this helps

Author Comment

ID: 17990002
I am sorry that I am still not understanding this completely.  Currently, I have nothing in my restricted groups.  Do I add domain admins to the restrcted groups.  Will I then see the  "This group is a member of the following groups" setting?  Thanks for all of your help.
LVL 85

Expert Comment

ID: 17990055
Yes; right-click, choose "Add Group", enter "Domain Admins", add "Administrators" to the list "This group is a member of the following groups".

Author Comment

ID: 17990099
That worked for my 2000 machines, but my XP machines do not appear to be picking up the GPO?  Any ideas?
LVL 85

Accepted Solution

oBdA earned 1000 total points
ID: 17990120
Do the XP machines have SP 2 installed? If not, check the second article I posted above.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question