Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How can I add domain groups(domain users) to a local computer group?

Posted on 2009-04-28
Medium Priority
Last Modified: 2012-05-06
Hi, I was wondering if there is a way to add a domain user or domain group to a computer's local group via Group Policies?

Windows Server 2003 AD environment
Windows XP Pro clients

Right now, I am going to Users & Computers Active Directory and right clicking on the computer and going to manage.  Then doing it manually.

It works, but can time consuming when dealing with several lab computers.

Just was wondering if there is a way to cover all these computers via GP.

Thanks for your time.

Question by:rsnellman
LVL 29

Assisted Solution

matrixnz earned 400 total points
ID: 24253245
LVL 57

Accepted Solution

Mike Kline earned 1200 total points
ID: 24253291
The key in your statement is that you want to "add" to what is there.  Florian has a good blog entry about that here
The reason I post Florian's blog is because many people still think that restricted groups can't be used to just add/append to what is there, but they can.
LVL 16

Assisted Solution

Narayan_singh earned 400 total points
ID: 24253346
we can use the Restricted Groups policy to add members of the domain to the local computers
Administrator's group
to do this create an OU and place all the workstations (on which you want to grant aministrative privilages) on this OU and follow these steps

1. Right click the  OU and select properties.

2. Go to the Group Policy Tab

3. Select the group policy and click Edit.

4. Go to Computer Configuration\ Windows Settings\ Security Settings\ Restricted

5. While restriced groups is highlighted select action from the MMS toolbar and
select "Add group"

6. Click the "Browse" button

7. Select the following group "Administrators" and click "OK"

8. Click "OK" Again

9. Doubleclick "Administrators"

10. In the "members of this group" and click the "ADD" button.

11. Select the browse button and select "Domain Users" and "users" and "system" and
"administrators" and "domain administrators" click "OK" click "OK" Click OK.

12. Now, from the command line type "secedit /refreshpolicy machine_policy"

The "Domain Users" that log onto the workstations will be local administrators.


Author Comment

ID: 24278489
Does this remove all existing local users from that local account or does it just add to the local user account?

Also, it only applies to that local group account (Administrator) not of the any other local group accounts (i.e. PowerUsers Group)?



Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question