Restricted Groups

mmudry
mmudry used Ask the Experts™
on
Currently we have a group policy applied to all our desktop OU's that adds the following groups to the destops restricted groups:

BUILTIN\Administrators
DOMAIN\Desktop Support
DOMAIN\Domain Admins  

BUILTIN\Power Users
NT AUTHORITY\Authenticated Users  

BUILTIN\Remote Desktop Users
DOMAIN\Domain Users  

The issue is we want to give the desktop support team the ability to add a single user to the BUILTIN\Administrators group if needed without Group Policy removing it.  Please let me know if there is a way to accomplish this.  Thanks in advance!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Once you utilize Restricted groups, additions to any of those groups have to be done through the GPO that controls the restricted groups. There really isn't a way around that.
Don't configure restricted group members using group policy instead configure the group is member of policy
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

Author

Commented:
Is there a down side to using the gorup is a member of?  Security risk?
If your organization doesn't require to restric local admin group membership then no there is no down side.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
The downside is that any administrator can add any user to the group, so you could have some group scope creep in the future.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial