<div>
Once you utilize Restricted groups, additions to any of those groups have to be done through the GPO that controls the restricted groups. There really isn't a way around that.
</div>


Once you utilize Restricted groups, additions to any of those groups have to be done through the GPO that controls the restricted groups. There really isn't a way around that.

<div>
Is there a down side to using the gorup is a member of? &nbsp;Security risk?
</div>


Is there a down side to using the gorup is a member of?  Security risk?

<div>
If your organization doesn't require to restric local admin group membership then no there is no down side.
</div>


If your organization doesn't require to restric local admin group membership then no there is no down side.

<div>
The downside is that any administrator can add any user to the group, so you could have some group scope creep in the future.
</div>


The downside is that any administrator can add any user to the group, so you could have some group scope creep in the future.

<div>
<div class="content wysiwyg-content">
Currently we have a group policy applied to all our desktop OU's that adds the following groups to the destops restricted groups:<br />
<br />
BUILTIN\Administrators <br />
DOMAIN\Desktop Support<br />
DOMAIN\Domain Admins &nbsp;<br />
<br />
BUILTIN\Power Users <br />
NT AUTHORITY\Authenticated Users &nbsp;<br />
<br />
BUILTIN\Remote Desktop Users <br />
DOMAIN\Domain Users &nbsp;<br />
<br />
The issue is we want to give the desktop support team the ability to add a single user to the BUILTIN\Administrators group if needed without Group Policy removing it. &nbsp;Please let me know if there is a way to accomplish this. &nbsp;Thanks in advance!
</div>
</div>


Currently we have a group policy applied to all our desktop OU's that adds the following groups to the destops restricted groups:

BUILTIN\Administrators 
DOMAIN\Desktop Support
DOMAIN\Domain Admins  

BUILTIN\Power Users 
NT AUTHORITY\Authenticated Users  

BUILTIN\Remote Desktop Users 
DOMAIN\Domain Users  

The issue is we want to give the desktop support team the ability to add a single user to the BUILTIN\Administrators group if needed without Group Policy removing it.  Please let me know if there is a way to accomplish this.  Thanks in advance!

Restricted Groups

Windows 7 is an operating system from Microsoft. Features include multi-touch support, a redesigned Windows Shell with a new taskbar, referred to as the Superbar, a home networking system called HomeGroup, and performance improvements.

Windows 7

Microsoft Windows XP is the sixth release of the NT series of operating systems, and was the first to be marketed in a variety of editions: XP Home and XP Professional, designed for business and power users. The advanced features in XP Professional are generally disabled in Home Edition, but are there and can be activated. There were two 64-bit editions, an embedded edition and a tablet edition.