I have a branch office where I need to give my local IT guy administrative privileges on all local machines. I do not want him to be elevated to Domain Admin status, however, because he does not need to log into any servers or be able to access Active Directory at all. I am well aware that using Restricted Groups in a GPO is the preferred way to achieve this. I'm having trouble making it work. I create a GPO that applies to the computers a the branch office, make the IT guy a member of the group, and make the group a member of the domain admins and administrators groups. It doesn't work. He still does not have local administrative rights on the machines. Any ideas? If I could learn how to make this work, it would benefit me greatly in my organization. This is a wonderful capability that I would use a lot. Thanks.