Link to home
Start Free TrialLog in
Avatar of mmudry

asked on

Restricted Groups

Currently we have a group policy applied to all our desktop OU's that adds the following groups to the destops restricted groups:

DOMAIN\Desktop Support
DOMAIN\Domain Admins  

BUILTIN\Power Users
NT AUTHORITY\Authenticated Users  

BUILTIN\Remote Desktop Users
DOMAIN\Domain Users  

The issue is we want to give the desktop support team the ability to add a single user to the BUILTIN\Administrators group if needed without Group Policy removing it.  Please let me know if there is a way to accomplish this.  Thanks in advance!
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Once you utilize Restricted groups, additions to any of those groups have to be done through the GPO that controls the restricted groups. There really isn't a way around that.
Avatar of achaldave
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mmudry


Is there a down side to using the gorup is a member of?  Security risk?
If your organization doesn't require to restric local admin group membership then no there is no down side.
The downside is that any administrator can add any user to the group, so you could have some group scope creep in the future.