I have a forest with over 700 computers. The workstations have overtime had various local administrator groups and user added.
I used the restricted groups in Windows Computer Settings in the Group Policy editor and applied it to everybody in the forest.
I selected BUILTIN/ADMINISTRATORS and added ADMINISTRATOR and DOMAIN ADMINS to be the only local administrators.
That worked a treat. All the weird accounts were remove from the domain workstations and just Administrator and Domain Admins remain.
The problem is, I need to add 5 users to be allowed local administrator rights. But if I add them on the local machine, the group policy overides them.
How can I make exceptions to the Restrcited Groups policy?