Local Admin account being removed from XP machines while using restricted groups in Group Policy

I'm using Restricted Groups to XP machines to allow Domain Admins admin rights to all boxes in domain via GP.  However, when this policy is applied, the local admin account is being removed.  This blocks support team from logging in to pc's locally to trouble shoot.  How do I manage the GP so that it doesn't remove the local admin account?
stvbrxAsked:
Who is Participating?
 
grayeConnect With a Mentor Commented:
Sorry, that's just how the Restricted Groups feature works.   It completely replaces the contents of the group with whatever you've put in the GPO.   It does not do a "merge", it allways does a "replace".

The easiest way to merely add an account to the local Administrators group would be to use a Startup batch file with the following:

net localgroup /add Administrators [domain\group] > nul 2>nul

BTW:  Domain Admins should  have already been a member of the local Adminstrators group
0
 
Kevin HaysIT AnalystCommented:
If you follow this link then everything should work without any questions.
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

I'm assuming you are probably just missing 1 step is all as it could be confusing when you first try and setup the restricted groups.

0
 
Brian PiercePhotographerCommented:
Make sure you "Merge" and do not "Replace"
0
 
stvbrxAuthor Commented:
KCTS,
Meaning that I should have a Loopback in place?
0
 
stvbrxAuthor Commented:
Very disappointed that I can't make this work via GP.  Thanks for all your help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.