I am try to see if I can automate a GPO on a local client. MY security policy does not allow network users to be local adims of their workstations, doing that of course they can't install or update basic software like adobe, etc.
To keep me from having to pysically go to the user when they need to update software, I created a security in AD called "Local_OA" I went to several local clients and added the "Local_OA" to the Administrators group. Now when someone calls and needs to update approved software, I just add the user to the "Local_OA" group in AD and have them logoff and back on, that will give the rights to update software, then I remove them from the group.
My question is, is there a way I can write a GPO that will add the "Local_OA" group to the administrators group on the local machine so that I don't have to physically goto each machine to do it manually?