Link to home
Start Free TrialLog in
Avatar of tolinrome
tolinromeFlag for United States of America

asked on

GPO to add domain admin to local admin

Is there a GPO that I can add the Domain Admins group to all the local admins group on all computers? DC's are 2008 and clients are XP and Win7. Thanks.
Avatar of motnahp00
Flag of United States of America image

Consider implementing a GPO with Restricted Groups.
Avatar of remmett70
Domain Admins by default get added to the local computer Admins group when a computer/server is added to the domain.  Has is been manually removed?
All Domain Admins are members of the local group.

You can verify this with the following command:

net localgroup Administrators
By Default Domain Admins are already local admins
Avatar of tolinrome


I thought they did as well, but at least on one PC it's not. This is a problem since a user will be logged on then a Domain Admin comes by and cannot log them off and has to shut down the computer and log back in.
So how can I just create a GPO that will cover all that?
Avatar of remmett70
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

Name: Restricted Groups

Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups -> Right-click Add Group -> Type Administrators (DO NOT Browse) -> click Add for members of this group and Click Add -> Browse for Domain Admins