Active Directory GPO

I am try to see if I can automate a GPO on a local client. MY security policy does not allow network users to be local adims of their workstations, doing that of course they can't install or update basic software like adobe, etc.
To keep me from having to pysically go to the user when they need to update software, I created a security in AD called "Local_OA" I went to several local clients and added the "Local_OA" to the Administrators group. Now when someone calls and needs to update approved software, I just add the user to the "Local_OA" group in AD and have them logoff and back on, that will give the rights to update software, then I remove them from the group.

My question is, is there a way I can write a GPO that will add the "Local_OA" group to the administrators group on the local machine so that I don't have to physically goto each machine to do it manually?

Who is Participating?
You can do updates like adobe and java through a wsus server as well.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


You can use restricted group GPO to add the mentioned group under the local admin group of local systems. Please refer 2nd option "This group is a member of " of the the below article.
RHUSAITAuthor Commented:
Both soultions work, i used the "restricted User" option seemed a little more simplistic to me. Thank you guys!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.