Understanding Restricted Groups in GPO

If I understand Restricted Groups can be set up only through Group Policy.
So if I have a group of users named HelpDeskUsers in ADUC that I need to  make member of every local administrators group in each domain computer. then if I add a new member to HelpDeskUsers group from ADUC console, will GPO update that group with the new member ? Or each time I need to add new member I will have to do it from the Gpedit console and drill down to Restricted Groups ?

another point, If Local administrators group in each computer already has other groups, will the GPO delete them all them and add only the HelpDeskUsers.

This example is just when adding a user group to local administrators group in domain computers.
I wonder if all local groups shown in the screenshot will have the same mapping in Active Directory.
I do not see configMgr Remote control users in AD

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tim EdwardsIT Team Lead - Unified Communications & CollaborationCommented:
The groups that you see are not set by Active Directory, these groups are local groups on each machine. You can create a local group manually if you would like and set the appropriate permissions, then add users to that group.

What you are looking to do by the sounds of your questions is to create security group ADUC, add your users to it, then you will want to create a Group Policy that adds your security group to your local administrators group.

Once the group has been created you will need to link with with an OU, in your case computers. Any computer/server that is in the computers OU next time it gets the gpupdate will add your security group to the local administrators group.

Moving forward all you need to do is add a user to the security group for them to get the ability to be a local admin, or remove the user from the group to revoke the permissions.

A quick little video on how to accomplish this:


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jskfanAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.