Understanding Restricted Groups in GPO

Posted on 2014-08-14
Last Modified: 2014-08-16
If I understand Restricted Groups can be set up only through Group Policy.
So if I have a group of users named HelpDeskUsers in ADUC that I need to  make member of every local administrators group in each domain computer. then if I add a new member to HelpDeskUsers group from ADUC console, will GPO update that group with the new member ? Or each time I need to add new member I will have to do it from the Gpedit console and drill down to Restricted Groups ?

another point, If Local administrators group in each computer already has other groups, will the GPO delete them all them and add only the HelpDeskUsers.

This example is just when adding a user group to local administrators group in domain computers.
I wonder if all local groups shown in the screenshot will have the same mapping in Active Directory.
I do not see configMgr Remote control users in AD

Question by:jskfan
    LVL 8

    Accepted Solution

    The groups that you see are not set by Active Directory, these groups are local groups on each machine. You can create a local group manually if you would like and set the appropriate permissions, then add users to that group.

    What you are looking to do by the sounds of your questions is to create security group ADUC, add your users to it, then you will want to create a Group Policy that adds your security group to your local administrators group.

    Once the group has been created you will need to link with with an OU, in your case computers. Any computer/server that is in the computers OU next time it gets the gpupdate will add your security group to the local administrators group.

    Moving forward all you need to do is add a user to the security group for them to get the ability to be a local admin, or remove the user from the group to revoke the permissions.

    A quick little video on how to accomplish this:

    Author Closing Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now