Restricted Groups

marrj used Ask the Experts™
I have a branch office where I need to give my local IT guy administrative privileges on all local machines.  I do not want him to be elevated to Domain Admin status, however, because he does not need to log into any servers or be able to access Active Directory at all.  I am well aware that using Restricted Groups in a GPO is the preferred way to achieve this.  I'm having trouble making it work.  I create a GPO that applies to the computers a the branch office, make the IT guy a member of the group, and make the group a member of the domain admins and administrators groups.  It doesn't work.  He still does not have local administrative rights on the machines.  Any ideas?  If I could learn how to make this work, it would benefit me greatly in my organization.  This is a wonderful capability that I would use a lot.  Thanks.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®


By the way, the GPO is being applied according to the gpresult command and the group policy results and modeling wizards.  I guess I'm simply not creating it correctly.
Top Expert 2013
Did you follow Florian's guide 

You mentioned you made the group a member of domain admins, you don't need to do that.

Remember that you can add the group to what is currently there on the machines or you can wipe and replace.  You probably want to add.  Florian explains it all in his blog.


ThinkPaperIT Consultant

Can you take a screenshot of the gpo setting in question? also, I assume you've already rebooted a workstation to validate it?

It should be something like...

Restricted Groups

Group                                 Members                                                                 Member of
BUILTIN\Administrators       domain\localITguy, domain\domain Admins              BUILTIN\Administrators

You would need to make sure to include any other administrator accounts or groups that need to be local admins.
Technical Lead
Top Expert 2011
I personally would not recommend using restricted groups to do this- restricted groups is a very powerful tool and simple mistakes can mean big headaches. You don't need to get any more complex than necessary.
Instead, there is a much easier way to accomplish what you want:
Create a group add the local IT administrators id to this group.
Set a startup script in group policy with the following line:
NET localgroup Administrators /add "domain_name\domain_group
That's it....the next time the computers are started, the group will be added to the local admin group.

If you want to configure restricted group refer this link:
If you want to your member not have domain admin rights, the group that your guy member of musn't member of domain admins group (this is important). (you may take your user into another group that member of only administrators group)

On Restricted Group policy settings > select your member's group, OK > on  'This Group is a Member of' tab, select add and select 'administrators' group.

open run and type gpupdate /force

I hope this will work.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial