Avatar of mmudry
 asked on

Restricted Groups

Currently we have a group policy applied to all our desktop OU's that adds the following groups to the destops restricted groups:

DOMAIN\Desktop Support
DOMAIN\Domain Admins  

BUILTIN\Power Users
NT AUTHORITY\Authenticated Users  

BUILTIN\Remote Desktop Users
DOMAIN\Domain Users  

The issue is we want to give the desktop support team the ability to add a single user to the BUILTIN\Administrators group if needed without Group Policy removing it.  Please let me know if there is a way to accomplish this.  Thanks in advance!
Windows 7Windows XP

Avatar of undefined
Last Comment
Adam Brown

8/22/2022 - Mon
Adam Brown

Once you utilize Restricted groups, additions to any of those groups have to be done through the GPO that controls the restricted groups. There really isn't a way around that.

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Is there a down side to using the gorup is a member of?  Security risk?

If your organization doesn't require to restric local admin group membership then no there is no down side.
Your help has saved me hundreds of hours of internet surfing.
Adam Brown

The downside is that any administrator can add any user to the group, so you could have some group scope creep in the future.