How to use GPO to add domain admins as an administrator on all computers in the domain

In our domain, end users are administrators of their own machines.  Although it is forbidden, some users remove domain admins from the administrators groups.  Is there a GPO that I can impliment that will force the addition od domain admins to all computers in the domain, without removing the end users account from the administrator group on their local machine?
dmaxITAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
oBdAConnect With a Mentor Commented:
Do the XP machines have SP 2 installed? If not, check the second article I posted above.
0
 
oBdACommented:
Yes, through a "Restricted Groups" policy.
Do NOT use the "Administrators" group and add "Domain Admins" to the "This group has the following members" field, though; that would add the domain admins, but at the same time remove the locally defined admins.
Instead, add the "Domain Admins" group, and use the "This group is a member of the following groups" setting, add the "Administrators" group there.
Try this in a test OU with a test machine first.
0
 
dmaxITAuthor Commented:
Where is that GPO located?
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
oBdACommented:
Someplace under Computer Configuration\Windows Configuration\Security Settings, can't look it up a the moment, but it's not too hard to find.
And maybe of interest:

Description of Group Policy Restricted Groups
http://support.microsoft.com/?kbid=810076

Updates to Restricted Groups ("Member of") behavior of user-defined local groups
http://support.microsoft.com/?kbid=810076
0
 
SamuraiCrowCommented:
You could also create a computer startup script (applied with group policy to your computer OU) with the following syntax:

net localgroup administrators "domainName\Domain Admins" /add

This will add the Domain Admins group and leave everything else in the administrators group intact.

Hope this helps
Crow
0
 
dmaxITAuthor Commented:
I am sorry that I am still not understanding this completely.  Currently, I have nothing in my restricted groups.  Do I add domain admins to the restrcted groups.  Will I then see the  "This group is a member of the following groups" setting?  Thanks for all of your help.
0
 
oBdACommented:
Yes; right-click, choose "Add Group", enter "Domain Admins", add "Administrators" to the list "This group is a member of the following groups".
0
 
dmaxITAuthor Commented:
That worked for my 2000 machines, but my XP machines do not appear to be picking up the GPO?  Any ideas?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.