mmudry
asked on
Restricted Groups
Currently we have a group policy applied to all our desktop OU's that adds the following groups to the destops restricted groups:
BUILTIN\Administrators
DOMAIN\Desktop Support
DOMAIN\Domain Admins
BUILTIN\Power Users
NT AUTHORITY\Authenticated Users
BUILTIN\Remote Desktop Users
DOMAIN\Domain Users
The issue is we want to give the desktop support team the ability to add a single user to the BUILTIN\Administrators group if needed without Group Policy removing it. Please let me know if there is a way to accomplish this. Thanks in advance!
BUILTIN\Administrators
DOMAIN\Desktop Support
DOMAIN\Domain Admins
BUILTIN\Power Users
NT AUTHORITY\Authenticated Users
BUILTIN\Remote Desktop Users
DOMAIN\Domain Users
The issue is we want to give the desktop support team the ability to add a single user to the BUILTIN\Administrators group if needed without Group Policy removing it. Please let me know if there is a way to accomplish this. Thanks in advance!
Once you utilize Restricted groups, additions to any of those groups have to be done through the GPO that controls the restricted groups. There really isn't a way around that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is there a down side to using the gorup is a member of? Security risk?
If your organization doesn't require to restric local admin group membership then no there is no down side.
The downside is that any administrator can add any user to the group, so you could have some group scope creep in the future.