Restricted Group policy

I have a security group in Active Directory called "Local Executives"
I need to create a Restricted group GPO, for Local Administrators group in each PC, so that "Local Executives" group will be member of Local Administrators group in each PC.
 However I do not want to delete the Already existing members of the local administrator group. It is kind of adding instead of removing and adding.

any help will be very much appreciated.

Thanks
jskfanAsked:
Who is Participating?
 
VB ITSSpecialist ConsultantCommented:
If you want to add the Local Executives to each computer's local Administrators group then follow the below steps:

In the Group Policy Management Console, expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
Right click and select Add Group
Type in DOMAIN\Local Executives in the Add Group window that appears or locate it via the Browse... button
Click Add in the This group is a member of section
Type in Administrators in the Group Membership window > OKOK again
Restricted-Groups.PNG
This will add the Local Executives group to each PC's local Administrators group and keep the group membership in tact.
0
 
LearnctxEngineerCommented:
Then you will need to add the other groups in. If you don't your GPO will overwrite the group. Example.

You have a GPO called localadmins and a new GPO called localexecutives.

localadmins contains the following restricted membership for local admins.

Domain Admins
Workstation Admins
Helpdesk

It is the highest priority GPO on the OU. Your new GPO localexecutives has only the following in the local admin group.

Executive Admins

If you like this GPO at a higher priority than your other GPO it will win based on priority and become the basis for the local admin group removing Domain Admins, Workstation Admins and Helpdesk. So, if you are going to have a new GPO with a separate local admin group membership defined you must include the other groups which are already members as below.

Domain Admins
Workstation Admins
Helpdesk
Executive Admins
0
 
McKnifeCommented:
jskfan, you need to take a closer look. Restricted groups let's you either define what members the local admin group has (and that will delete all others) or it will let you add that group to local admins regardless of who's already in and non-destructive against those members. There are simply too different sections in the GPO, look at it once more.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
McKnifeCommented:
Thanks for illustrating my comment, VB ITS :)
0
 
jskfanAuthor Commented:
VB ITS

Thanks for the screenshot and the wizard walk through...I want just to make sure I understood the procedure.

So in the screenshot you posted above, there are 2 window panels, if I add "Executive Admins" to the top window then all existing members of the local administrators group in workstations will be deleted except for "Executive Admins" that I have added.

if I add "Executive Admins" to the bottom window,  then existing members of local administrators group will stay there and "Executive Admins" group will be added.

Correct ?
0
 
VB ITSSpecialist ConsultantCommented:
No, if you add Executive Admins to the box above then the policy will attempt to place Executive Admins in the Executive Admins group. This obviously will not work very well!

If you want to replace the membership of the local Administrators group then you would specify Administrators when you go to create the Restricted Group. See below:
Restricted-Groups---Replace-AdministratoRestricted-Groups---Replace-AdministratoRestricted-Groups---Replace-Administrato
In the above scenario, the Administrators group on each workstation will have the group membership replaced so that DOMAIN\User is the only member of the group.

Hope this makes sense.
0
 
jskfanAuthor Commented:
No my Goal is to add Executive Admins Group to Local administrators group on each workstation without deleting the existing members of the local administrators group.
0
 
VB ITSSpecialist ConsultantCommented:
Then please follow the steps in my earlier comment: http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28596305.html#a40548847

My previous comment was to try and get you to understand how Restricted Groups work in Group Policy, I apologize for any confusion.

Ignore my previous comment and follow the steps linked above - this will add the Executive Admins group to the local Administrators group on each workstation that the policy is applied to. It will not delete/replace any existing members in the local Administrators group.

I hope this clears it up for you.
0
 
jskfanAuthor Commented:
Thank you
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.