How can I add domain groups(domain users) to a local computer group?

Posted on 2009-04-28
Last Modified: 2012-05-06
Hi, I was wondering if there is a way to add a domain user or domain group to a computer's local group via Group Policies?

Windows Server 2003 AD environment
Windows XP Pro clients

Right now, I am going to Users & Computers Active Directory and right clicking on the computer and going to manage.  Then doing it manually.

It works, but can time consuming when dealing with several lab computers.

Just was wondering if there is a way to cover all these computers via GP.

Thanks for your time.

Question by:rsnellman
    LVL 29

    Assisted Solution

    LVL 57

    Accepted Solution

    The key in your statement is that you want to "add" to what is there.  Florian has a good blog entry about that here
    The reason I post Florian's blog is because many people still think that restricted groups can't be used to just add/append to what is there, but they can.
    LVL 15

    Assisted Solution

    we can use the Restricted Groups policy to add members of the domain to the local computers
    Administrator's group
    to do this create an OU and place all the workstations (on which you want to grant aministrative privilages) on this OU and follow these steps

    1. Right click the  OU and select properties.

    2. Go to the Group Policy Tab

    3. Select the group policy and click Edit.

    4. Go to Computer Configuration\ Windows Settings\ Security Settings\ Restricted

    5. While restriced groups is highlighted select action from the MMS toolbar and
    select "Add group"

    6. Click the "Browse" button

    7. Select the following group "Administrators" and click "OK"

    8. Click "OK" Again

    9. Doubleclick "Administrators"

    10. In the "members of this group" and click the "ADD" button.

    11. Select the browse button and select "Domain Users" and "users" and "system" and
    "administrators" and "domain administrators" click "OK" click "OK" Click OK.

    12. Now, from the command line type "secedit /refreshpolicy machine_policy"

    The "Domain Users" that log onto the workstations will be local administrators.


    Author Comment

    Does this remove all existing local users from that local account or does it just add to the local user account?

    Also, it only applies to that local group account (Administrator) not of the any other local group accounts (i.e. PowerUsers Group)?



    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Step by step guide to Clean and Sort your windows registry! Introduction: Always remember: A Clean registry = Better performance = Save your invaluable time In this article we're going to clear our registry manually! Yes, manually! The e…
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now