How to use Restricted Groups? Part I

( – or: How can I add [Active Directory] user accounts into some? clients’ local Administrators group without touching each client?)

This article describes the feature “Restricted Groups” in Group Policy. This feature enables you – as the administrator – to configure group memberships on the client computers or member servers. You can add user accounts to groups on client machines that are in the scope of the policy.

As there are many questions about this in the newsgroups, I will come up with an example that shows how to put a group of Active Directory users into the local Administrators group on the clients.

For this article, I assume that you already created a global security group containing all users that shall become local Administrators on some client computers. In my example, the group is called “localAdmins”. The target (= client) computers reside in a specific OU.

If you’re using the Group Policy Editor, you navigate to the OU where the client computers reside and right-click it. Choose “Properties” and “Group Policy” where you create a new Policy and click “Edit”. You then navigate to:

CompConf\Windows Settings\Security Settings\ and then right-click “Restricted Groups” and choose “Add Group”.

You simply add the created group by clicking “Browse..” or typing the group name into the box.

After clicking “OK”, another beautiful window opens up, where you can find two boxes. The upper box, saying “Members of this group”, the lower one saying “This group is a member of”.

If you added users or groups into the “Members of this group” box, you would advise the Restricted Groups feature to put the users and groups you selected into the localAdmins group. Restricted Groups would then replace the current members of the localAdmins group with the users and groups you filled into the box. Please recognize my words, it would replace them – just wipe existing users out of the localAdmins group.

As we do not want to add users or other groups to our group, but add our localAdmins group the local Administrators group on our clients, we have a look at the lower box – labeled “This group is member of”. We click “Add” and type in the name of the group, we want localAdmins to be member of. In this case, it “Administrators”. We then simply click “OK” and “Apply” and close all windows. “This group is member of” advices “Restricted Groups” to add our localAdmins group into the “Administrators” group of the clients. The existing group members will not be touched – it simply adds our group.

122 Comments so far

  1. Rino Mardo on November 14th, 2006

    Great article here. Exactly the way what M$ should’ve explained.

  2. railroad on September 25th, 2007

    It’s 2007 and people are still looking for how to solve the same issues. I’ve been to a few websites that “explained” this, but this article explains it the way it should be – which means it shows the steps accurately, doesn’t leave out important details, and most importantly – it works. Thanks.

  3. Araham on February 8th, 2008

    Great explanation!!!!

  4. Mark on March 17th, 2008

    Thanks, solved my problem and easy to understand :)

  5. Jim on April 16th, 2008

    Great job.

  6. Yahya on April 25th, 2008

    Brilliant explanation

  7. Rani on June 3rd, 2008

    Perfect!!!

  8. Rog on July 10th, 2008

    Im about to use this to add a couple of domain users as local admins. But ive been warned by my collegues that it will wipe the localadmins allready present on the box. So if there is a local user or a random domain user, like the comp owner that is admin, they will be wiped.

  9. Rog on July 10th, 2008

    But it worked! my collegues are weird. =) Thanks for advice!

  10. jmn on July 10th, 2008

    Thanks! Worked quickly and easily!

  11. Drennen on July 18th, 2008

    So, this is really good advice that I should have read ahead of time.

    I DID replace the ‘Administrator’ group of all my machines. I fixed this ‘somewhat’ by using the above method to add ‘Domain Admins’ into the local administrators group. At least there are some accounts that now have local admin rights.

    However, the local “Administrator” account is gone I am pretty sure. Have I crossed the streams and divided by zero or is this not really a problem?

  12. florian on July 18th, 2008

    Drennen,

    so you wiped the local Administrator out of the “Administrators” group? Or wiped the Administrator account as a whole? I guess I don’t get your problem.

    Basically it’s not much of an issue as long as no services or users rely on it.

  13. Tim on August 4th, 2008

    Yes, as others say, this is the most striaght forward explination I’ve seen! Well done.

    One question: I did just what you said and it added my new domain group to the local admin group and left everyting else there. If I wanted to control all members of the local admin group would I add users (and/or domain groups) to the “members of this group:” section?

    I understand that that would replace all members in the “restricted group” domain group (localAdmin in your example), but would it then replace the computers administrators group with the domain group I’ve defined for the restricted group and remove everything else?

    Also, Drennen (if you’re still there) – if you remove this policy the local admin group returns to it’s previous state. See this:

    http://sdmsoftware.com/blog/2007/10/restricted_groups_policy.html

    Thanks,
    Tim

  14. Lim on October 14th, 2008

    I just want to confirm that this will not remove any existing accounts and groups in the local Administrator group in the client machines, but simply add whatever is designated in the Restricted Group here over the top?

  15. florian on October 15th, 2008

    Lim, if you follow the instructions and choose the way I explained as “it simply adds our group”, it will not remove them. You can test that with a test client scenario to be 100% sure about that.

  16. Denis AUGER on October 17th, 2008

    Very interresting article.

    One question: do you know if it is possible to create a restricted group through a script instead of using the GUI ?

    Thanks

  17. florian on October 17th, 2008

    Denis,

    do you mean creating a Restricted Group or scripting group membership? Scripting groupmembership would work with net localgroup /?.

    Although I haven’t looked into it yet, I assume scripting Restricted Groups is not that straight forward. I guess it involves the creation of both objects in the GPContainer (Active Directory) as well as files on SYSVOL.

  18. Denis AUGER on October 27th, 2008

    Florian,

    I mean creating a restricted group.
    The goal is to create a local group on a server, then to create the corresponding restricted group in the Actve Directory.
    Then, I would like to change the members of the restricted group to check, after a GPUPDATE, if my application has seen the change in the local group.
    I want to do that for several users, and maybe, several RG.
    Thanks

  19. florian on October 28th, 2008

    Denis,

    you’ll not be able to do that with Restricted Groups. Have you considered looking at Group Policy Preferences? With those, you can both create local groups on target machines as well as fill them with users from the domain.

  20. ceez on November 13th, 2008

    ok I found this great explanation cause no other site can explain it this easy…

    yet…

    It’s not working for me! :(

    I have 1 testing OU called “Test OU”
    2 test user accounts
    1 global security group called “LocalAdmin” (like this example)

    I opened this LocalAdmin account and added my 2 user accounts to the Members tab

    In the GPO I select Add Group -> Browse -> mydomain\LocalAdmin

    “Members of this group” was left blank

    “This group is a member of” just says “Administrator”

    I perform a GP Update on my DC, reboot my test workstation and login.

    I test it by going to start->run and typing “nusrmgr.cpl” to access the “users accounts” and it prompts for a username/password.

    I go to management->local users and groups and check the administrator group but my 2 test accounts are not listed.

    What can I be doing wrong?!?! It should not be this difficult.

    Thanks

  21. ceez on November 14th, 2008

    OK I GOT IT!

    I was typing Administrator without the “s” at the end!

    Works like a charm!

    thanks for this great post!

  22. djlizar on November 15th, 2008

    Hey dude, you save my weekend :D, i need to give local permitions over entire domain, thanks a lot for this guide.

  23. florian on November 17th, 2008

    You’re most welcome. This must be the most popular posting on my blog so far!

  24. Lim on November 20th, 2008

    Thanks!
    Another quick question. Some other places say use builtin\Administrators instead of just Administrators when specifying This group is a member of. Is there a difference/does it matter?

  25. Dr Fix on January 14th, 2009

    That’s not working for me.. that’s what I do:
    - I already have a group set as “global” and “security”
    - I create a new OU and move a pc into it
    - I right click it, properties and add a GPO
    - I edit gpo, go under “Restricted users”, add group and add the users group
    - In the botto window I add “Administrators” group
    - I run gpupdate

    But on my pc the users keep not being administrators…

    any idea?
    thanx

  26. florian on January 14th, 2009

    DrFix,

    have you tried the steps outlined in the article? Can you confirm the policy’s actually applicable on the machine in question (rsop)?

    Cheers,

    Florian

  27. Dr Fix on January 15th, 2009

    Hi Florian,

    I did the steps I listed above which I read from the article, are they wrong?

    How do I verify via rsop that the policy is applicable? Do I have to do it on server or on the machine? Thanx

  28. florian on January 15th, 2009

    DrFix,

    the steps outlined there should be working for you, too. You fire Start->Run->”rsop.msc” on a client machine that would be affected by the policy and see whether the policy shows up. You can also run “gpresult.exe” from the command line.

    Florian

  29. WinXP on January 18th, 2009

    I currently have Admin rights at my computer at work and this right is removed automaticly after working hours, how can I stop this from removing my admin right from this machine?

    Please note that this computer is using windows XP and is part of a network domain.

    Best regards,

  30. florian on January 19th, 2009

    Howdie!

    Since it’s a local machine, check if the machine’s running any scripts or applications at startup that remove your user account from the administrators group. Also check when this happens – I’d try to logoff/logon several times during the day to see when this happens. During logoff/logon, your user account’s token is created and group membership evaluated. If you log on just the other day, you won’t notice when the automatic removal action happend.

    cheers,

    Florian

  31. calvin chiang on February 3rd, 2009

    champion. so simple yet m$ make it appear so complicated thanks Florian!!

  32. superkain on February 7th, 2009

    Sweet. I’ve been doing this for years, but didn’t know anyone had done a write up on it. Every time I show it to someone, it blows their mind.

    I even had to show half a dozen MS employees that this was possible last year. they fought tooth and nail with me until i proved it.

    Thanks for putting this out there!

  33. ryan on February 19th, 2009

    Hi,
    Does anyone know the impact of having multiple GPOs setting RGs and using both “members of this group” and “this group is a member of” in different GPOs? Additionally, can I use a security filter group with computer accounts to apply the GPO RGs to only specified computers in the security filter group?

    TIA!

    Ryan

  34. Sushil on February 19th, 2009

    it’s really great and helpful

  35. florian on February 19th, 2009

    Ryan,

    I must admin I’ve never tried that. I would assume that, when you use the “Update”/”Add” steps to modify a local group, the Client Side Extension will sequentially perform the group member additions and add members as defined at multiple locations/OUs/levels.

    Since it is a Computer Configuration policy, you can use security filtering to only let Restricted Groups apply to a limited group of machines, that’s possible, yes.

    Cheers,
    F.

  36. vijay kadadi on March 5th, 2009

    In my company for DOTNET users i installed/configured the win2003 server Domain( AD+DNS) with webserver IIS & SQL DB server.Created the users and…configured the dotnet client winxp pc to that domain….But they login with local administrator rights coz to run/use dotnet applications( visual studio 2005/2008 ,IIS…).And if they logged with domain user they cant run the visual studio applcations…what to do…? I want to create the restricted group with local admin rights .so they can login to domain and only rights for dotnet applications and not for other control panel/config/installations…etc.

    Regards,
    vijay kadadi

  37. florian on March 5th, 2009

    Howdie!

    In general, I would try to have the devs away from the prod network (at least with the machines they have Visual Studio and their test databases loaded on) and keep them on a seperate network/subnet. Devs are the kind of people that needs special attention as they’re re-configuring their servers, machines and stuff for testing their apps – so it’s good idea to keep them off the prod network. If necessary, put a second machine next to them that’s connected to the prod network. Well, that would be the best practice approach.

    Have you tried putting the users into the “Debugger users” group (not sure if the group is called that – but it’s a group they create on VS installation). That might be helpful.

  38. Suresh on March 6th, 2009

    Florian,

    Thanks for the brilliant article.

    I have created an OU and moved few member servers and applied the policy.

    The local administrators group on the member servers is displaying the correct domain group but in RSOP I see the group name with RED CROSS. What could be the issue?

    Thanks,
    Suresh

  39. Viktor on April 27th, 2009

    Florian,

    great and most important that very simple explanation

    Thanks,

    Viktor

  40. Ray on April 28th, 2009

    Great tip. Worked really well. I noticed that this is partI. Is there a part II?

  41. florian on April 30th, 2009

    Ray,

    there actually isn’t. I thought about adding some stuff regarding the “Power Users” group AD by default doesn’t know about. Just haven’t had the time or had more interesting stuff to blog about :) I may add a second part some time in the future.

    Thanks,
    Florian

  42. Allen Crist on May 6th, 2009

    I am having the same red cross error as Suresh… Also, I am trying to apply this to the whole domain (is that possible, I don’t want to just do it to an OU) It’s a very small network (10 clients) and some legacy apps REQUIRE local admin access. Please help.

  43. Jesse on May 11th, 2009

    Hi,

    Does this apply to 2008?

    I’ve tried but I can’t seem to find where to start:
    Server Manager/Group Policy/Forest:my.domain.net/domains/my.domain.net/???

    I would greatly appreciate if someone could help me out of this one. I sure I not putting the group in the right policy.

    Thanks

  44. Jesse on May 11th, 2009

    sorry:
    Server Manager/”FEATURES”/Group Policy/Forest:my.domain.net/domains/my.domain.net/???

  45. florian on May 14th, 2009

    Jesse,

    that applies to Server 2008, too.

    From Start->Run, launch “GPMC.msc”. From here, you can actually create GPOs/create&link them to OUs. With “Edit…” you open the Group Policy Editor from which you should be able to access the “Restricted Groups” feature.

  46. Jesse on May 18th, 2009

    Hi Florian,
    You’re right it’s there and it works… THANK YOU ;)

    My next question is why when I remove the user from localAdmins and log off, when I log on again they are still able to install ? Is there some time limit for these changes to take affect? is there a caché?

    Have you noticed this before?

  47. Jesse on May 19th, 2009

    Hi again Florian,

    Just want to comment on security issues with this setup. Everyone should know (at least in windows 2008) that if you grant “Administrator” privileges in this manner you are granting SERVER Administrators privileges too.

    So if you have network shares “lightly” configured with “Administrators” allowed as FULL control you have therefore just granted access to any user in your “localAdmin” group this level of access.

    Also you have granted them Administrator privileges on ALL computers in your OU.

    A safer way (in windows server 2008) is to update the Administrators Group on the CLIENT’s computer by updating the local “Administrators” group through:
    GPO Editor > Computer Configuration > Prefences > Control Panel Settings > Local User’s and Groups > New User or Group

    Here you can add a Domain group or user to the local Administrators group (I would suggest and Group becuase it will be easier to manage) and then right click on the new item that you have created and :
    Properties > Common > Advanced > Item Targeting here you will be able to target which computers o OUs you want to grant permissions. You can duplicate the item to then target others.

    The downside of my suggestion is that if this item is removed later on the changes to the client computer are permenent.

    Hope this helps.

  48. Danny on May 24th, 2009

    Perfect!!…and in an article that is short short and sweet too…

  49. florian on May 26th, 2009

    Jesse,

    you need to wait for the next policy refresh cycle (background refresh), ~max. 120 minutes in order to have the Restricted Groups policy updates on a client.

    It doesn’t actually cache group membership as long as you’re online.

    Thanks for the suggestions with Preferences. Indeed, I wrote the RG article before Preferences were part of core Windows (they were PolicyMaker back then). You can also use Preferences for that – just make sure you let the machine re-apply the preference to keep the group membership accurate.

    Thanks,
    Florian

  50. Roman on June 12th, 2009

    Exactly what I was looling for! Thanks
    Roman

  51. Rizwan Khan on June 17th, 2009

    Really a great blog. And a Nice HELP.
    I like the way how steps are mentioned here. This is really required when you remotely advise something b’coz no body knows the oponent skills.
    It solved my problem within minutes.
    Really a great help. Thank YOu.

  52. Joey on June 24th, 2009

    Hi Florian,

    I tried doing this on my domain. But it gives a cross mark in RED, showing that the policy is not applied. The error is as below:

    “The policy engine did not attempt to configure the setting. for more information, see %windir%\security\logs\winlogon.log on the target machine.”

    But when I checked the log file, no failure reports where mentioned.

    Will you please help me?

    Regards,
    Joey

  53. florian on June 25th, 2009

    Joseph,

    is the machine picking up other (newly created) policies? What is the cmd result message you get when entering “gpupdate”?

    Florian

  54. Ndakapenga on July 1st, 2009

    Many have attempted this by using the Restricted Groups policy that has been in Windows Active Directory Group Policy from the onset. The problem with this solution is that the Restricted Groups policy is a “delete and replace” policy, not an “append” policy. Thus, when you configure a policy to perform this task, you will wipe out the contents of the local Administrators group, replacing it with only new accounts.
    By using the Local Users and Groups policy that was described in Task 1, you can not only remove the current logged on user, but you can add in other accounts like Domain Admins and Domain Administrator.

    http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html

  55. Ux- on July 6th, 2009

    We create users in active directory using ADUC and then manually add the users in the specific groups…

    is there a way that we can do that automatically or from a group policy..creating user and the membership assigns to different groups by itself.

    Regards

  56. florian on July 7th, 2009

    Ux,

    thanks for writing. You need to understand that these are two things. Restricted Groups alter machine-local group membership on client machines whereas group membership in domain groups is a domain thing. You can’t actually do that with Group Policy.

    Approaches that I can think of could work:
    - You create “template” users and copy those template users when creating new users. Group membership is one of the attributes that is copied.
    - Use a different user population mechanism (maybe a custom script/ a custom website) that lets you choose a user role and adds the user automatically.

    Thanks,
    Florian

  57. Dave on July 15th, 2009

    Concise and accurate. Great explanation, thanks…

  58. mahesh on July 29th, 2009

    good thanks, it was helpful

  59. Amjad on August 15th, 2009

    Thanx Florian it is the best explanation ever.

  60. Matt on August 28th, 2009

    Great article, accomplished exactly what I was was trying to do and was easy to follow, thanks.

  61. Trent on August 30th, 2009

    YOU ROCK!

  62. Dave on September 5th, 2009

    Florian,

    If someone has added users into the “Members of this group” box, then it will for sure reomve all existing members of local administrators group on clinet; so now is there a way to revert back this change? i.e. is there a way to undo and get back all the previous members in client’s local administrators group?
    I would appreciate your reply.

    Regards, Dave

  63. florian on September 7th, 2009

    Dave,

    I guess you’d have to set the group membership back to what it was before manually.

    You could use Restricted Groups for that too but would need to use SIDs rather then user names to catch local users with Restricted Groups.

  64. Fiona on September 19th, 2009

    This was amazingly helpful – I am still learning my way around AD and group policy and in setting up a server for a very small school, I have needed this information desperately.
    It was hard enough finding out about restricted groups in the first place … and almost harder trying to understand the articles about it meant until I found this one.
    Thank heaps for the headache that finally went when I found this – now I just want to know why the others were all so hard to read :-)
    Fiona

  65. Ben Chapman on October 9th, 2009

    Perfect! Thanks for this. It was exactly what I needed. Best, Ben

  66. bilal on October 23rd, 2009

    I’m new to AD, have a group of about 200 nodes and most of them are member of administrator. is there any way to remove them from administrator rights in a batch process.

  67. alidaoud on November 21st, 2009

    it’s great article

  68. Stephen Jones on December 13th, 2009

    Great article, the only thing that caught me up was that my LocalAdmins group wasn’t part of the Organisation Unit. I’m pretty empty when it comes to Active Directory but from what I could find out is that, this meant the LocalAdmin user settings didn’t get applied and hence the user wasn’t getting added to the Builtin\Administrators group.
    Anyway, once I added the LocalAdmins to the OU it all worked a treat.

  69. Stephen Jones on December 13th, 2009

    Or maybe I mean the user needs to be added to the OU and not the LocalAdmins group??

  70. florian on December 13th, 2009

    Stephen,

    I’m not sure whether I get your point. In order to have that Group Policy working, you’ll need to create and link the GP with Restricted Groups settings enabled to an OU that contains computer accounts. The computer accounts will then modify local group membership as forced by the setting.

    Florian

  71. shaik.basheeruddin@gmail.com on December 14th, 2009

    I tried doing this on my domain. But it gives a cross mark in RED, showing that the policy is not applied. The error is as below:

    “The policy engine did not attempt to configure the setting. for more information, see %windir%\security\logs\winlogon.log on the target machine.”

    But when I checked the log file, no failure reports where mentioned.

    Will you please help me?

    Please help me, I need it badly. Please give me an solution

  72. Tanvir on December 15th, 2009

    Hi Florian,

    I have a win2k3 domain. I create a domain user account like “install” for my helpdesk guy for routine winxp and applications installaton on my xp clients. I need to to give local admin rights to this account on all every xp clients without having to create it a member of domain admin group.

    I just want to confirm that would I follow your article as it describe or is there any other change ?

    Would appreciate your help…

  73. florian on December 15th, 2009

    Tanvir,

    yeah, you can do that. You’d use the user’s account rather than the localAdmin group that I used for the example.

    I suggest you use a group too rather than the user’s account. Once something changes and you need someone else do the install job, you need go through the hassle of adding the other user, too.

    Cheers,
    Florian

  74. florian on December 15th, 2009

    Shaik,

    haven’t seen that yet. What does the Eventlog say on the client?

    Cheers,
    Florian

  75. Tanvir on December 16th, 2009

    Thanks for reply Florian.

    Let me tell you what I did. First I made a group named “LocalAdmin” and add my domain user named “install”. Then create an OU under domain root and move a test XP PC. Create a GPO for that OU and configure “Restricted Groups” settings by adding the group mentioned above i.e., “LocalAdmin” and add my domain group “Admimistrators” under “This group is a member of”.

    Am I did right to achive my task ?

  76. Mohammad Nasiri on December 27th, 2009

    I want to wipe the local administrators group members , can i do it in this way ?

  77. florian on December 30th, 2009

    Mohammad,

    yah, you can. You basically define a Restricted Groups setting that would replace the current members of “Administrators”. Make sure you have the built-in administrator defined there, too.

  78. Vinod Mohan on January 4th, 2010

    Let me provide my scenario.
    I am having a windows server 2003 dc and over 160 users. As of now all the domain users are having local administrator access for their respective systems. I would like to use restricted group policy to remove access of all the users from the local administrators group and just provide them with Users group permission. Please help…

  79. florian on January 4th, 2010

    Howdie!

    How did you go about giving them local administrator access? Do they use their domain credentials to log on to machines?

    You would use the method above described as “Replace”. Add the local administrator there (probably use the built-in administrator SID S-1-5-*-500) and put Domain Admins as well as your Helpdesk in there (given that Helpdesk folks need local admin access).

  80. Vinod Mohan on January 5th, 2010

    Thanks Florian,

    That was a quick reply.
    Anyways, when we configure a PC and relieve it from our Dept. we used to manually add the domain user into the local admins group. Recently we decided to take out that permission and just provide users with the minimum privilege. There are 2 concerns we want to automate the process of removing the existing local admin rights and then forcing all the users to be member of just the local USERS group.

  81. Vinod Mohan on January 5th, 2010

    And yes they do use their domain credentials to log on to the machine

  82. Christian Purnomo on January 8th, 2010

    love your explanation, speaks in plain language, microsoft should learn from you!!!!!

  83. Jackdaw on January 12th, 2010

    Great article.
    You just saved my ase :P

  84. eeacosta on January 13th, 2010

    Excellent. Thanks a lot!!!

  85. linksjuy on January 16th, 2010

    This is useful article. Thanks so much.

  86. James on January 20th, 2010

    Thanks for this write up definately better than everything else I found written up on it.

    I am having the same issue as Shaik.
    When I check Rsop It gives a cross mark in RED, showing that the policy is not applied. The error is as below:

    “The policy engine did not attempt to configure the setting. for more information, see %windir%\security\logs\winlogon.log on the target machine.”

    But when I checked the log file, no failure reports where mentioned.

    Any help on the issue as this fix would save me a lot of manual time :).

  87. Holt Satterfield on January 22nd, 2010

    Florian–

    Followed your article to “add” 3 user groups to the Local Administrator group on desktops. Now that my project is over, I want to remove them from the Local Administrator group. I’ve read ALL the above postings, but nothing works. What I did was actually remove the 3 user groups from the GPO, but that does NOT work. The 3 user groups remain in the Local Administrator group on the desktop. I can’t REPLACE the Local Administrator group because there are scattered desktops with specific users in the LA group that I need to keep in there.

    I’m using Server 2003 R2. Wish it were 2008 as there is an answer for this in that GP version.

    Any suggestions?

  88. florian on January 24th, 2010

    Holt, well, the only option that you have is “Replace” and set it to a predefined list of members. You’d obviously need to define a couple of Restricted Group-policies to reset to different sets of local Admins.

    James, is there anything logged in the event viewer?

  89. James on January 28th, 2010

    Nope nothing in the event viewer.

  90. Frasco on February 2nd, 2010

    Hi Florian ty for your article.

    But if i would like to do the inverse : remove all the existing users from the client machines local administrators group and leave only the deafult “Administrator”, how could i do? In my AD there are alot of clients pc which have in the local administrators group some “normal” users that i would remove.

  91. Frasco on February 2nd, 2010

    continuing…. i read all articles and i saw that i can replace … but how to do?? Is there a flag to set? ty

  92. florian on February 2nd, 2010

    Frasco,

    depending on the “box” in the dialog you use and add your users and groups in, it is either “Replace” or “Merge”. Look at the article again, it should describe it pretty well.

  93. Phil on February 8th, 2010

    I followed the instructions and it does seem to work. But the problem is that users can also log into the domain controller as administrators. Gad!

    So, this doesn’t seem to only apply to workstations.

    I actually created a group for managed workstations and only have this policy apply to workstations, but that doesn’t seem to restricted it.

    I’m working with 2008R2 (uggh) any suggestions?

    thanks!

  94. Phil on February 9th, 2010

    update…

    the group of users I was using somehow got added to the “builtin\administrators” group. I removed this membership and the policy now works as expected.

    Also thanks for such a great time saving article!

  95. imageblur on February 22nd, 2010
  96. christian louboutin on March 6th, 2010

    it is interesting and informative article. This has been very helpful understanding a lot

    of things. I’m sure a lot of other people will agree with me.

  97. Con Stantine on March 30th, 2010

    thanks,
    it helped me to solve my problem

  98. drewsky on April 20th, 2010

    this is so awesome. I needed to add a bunch of users that I had put into a domain group, into the local remote desktop users group on every new virtual desktop created. THis made things so easy! It’s not just about the administrator group which I’m sure you know.

  99. anonymous on June 24th, 2010

    Thank you so much, we spent an afternoon unable to get restricted groups doing anything useful before finding your site! Worked perfectly after applying the policy, gpupdating a bit & logging machine back in.
    Thanks again!

  100. hamidi on June 30th, 2010

    how can i prevent domain controller from accessing and changing my (client computer joined to the domain) list of Administrators?

  101. florian on July 4th, 2010

    You either define a Restricted Groups-GPO in a way that you want the local Administrators group should be OR check rsop.msc and gpresult whether there is a Restricted Groups GPO in place you can remove.

  102. Simon on September 30th, 2010

    Help!

    I tried this method but it hasnt worked for some reason.

    I created desktopsupport group and a systemadmin group.

    I made the system admin group a member of the desktop support group. I added user accounts into the systemadmin group.

    I created the GPO as described in your steps and linked it to the top ou which has several ous nested in it (ous to house user accounts, computer accounts, security groups etc)

    If I manage computer on a client machine and go to local users and groups and open groups and browse to “administrators” I can see that the desktopsupport group is a member of administrators on the local machine, but when i logged on with a user account that is in the systemadmin security group, i still cannot install applications.

    I’ve tried shutting down and restarting the computer and gpupdate /force – but it still does not work the way it is described in your article.

    Is it because i’ve nested groups within groups?
    Is it because i’ve linked the GPO to the the high level OU?

    Help would be appreciated.

    Kind Regards,

    Simon

  103. omk on October 6th, 2010

    Thanks! Absolutely helpful and clear!

  104. florian on October 12th, 2010

    Simon,

    have you tried putting the user directly into the “desktopsupport” group instead of a nested group of it? In general, this should work, too, no matter what.

  105. kathir on November 23rd, 2010

    I looked at the Microsoft Widows 2008 AD training manual but it was not clearly explained. I looked at different sites but it was not expained as simple as on this site.

    Thanks a lot. I greatlt appreciate it.

    Best Regards,
    Kathir

  106. Andy on November 23rd, 2010

    Awesome work and explanation! I’ve been trying to figure out how to do this for a couple of days now!

  107. Jeff on February 1st, 2011

    Thanks a lot for the help! It was easy to understand and saved me a lot of time.

  108. Poirot on February 21st, 2011

    Thank you, it was really helpful

  109. Shafeek Rahman on February 23rd, 2011

    Very Nice Post,

    i was struggling to understand the postings in otehr sites.
    But you really made it beautiful and easy to understand.
    Tons of thanks for your amzing work.
    Much Appreciated

  110. Vinod Ptidar on February 26th, 2011

    Really good work. It is so simple explanation. It was very easy for me to do this.

    Thanks

  111. hunter3740 on March 8th, 2011

    Still helping people (as of 03/08/11); just a matter of adding an existing group in the restricted groups (which is basically the same process for server 2008 and even if using remote admin, aka rsat), and then adding “administrators” to the “is a member of” box (for the group you just added to the “restricted groups” folder in your group policy).

    THANK YOU thank you thank you.

    side note: why not the ability to add an individual (i.e. small business where the IT team is just one person)? Obviously I have a group with just one person in it as my fix–more of a rhetorical question.

  112. Nabil on April 28th, 2011

    Hi!, Thank you very much for the article! Very simple and fast.!

    Thanks a lot again!
    Greetings from Argetnina!

  113. Kathryn on June 21st, 2011

    This is the best of ALL the articles I’ve read on this. I am doing a complete replacement of the local adminitsrators membership but cannot find a way to add the local builtin administrator’s account back in; any suggestions?

    Thanks

  114. Ioan Popovici on July 13th, 2011

    Hi,

    what’s the difference in using this method or simply, create/replace/update/delete local groups or users via GPO – Computer Configuration/Preferences/Control Panel Settings/Local Users And Groups ?

    Thanks :)

  115. kane on July 21st, 2011

    I must say this is a very good website! I read 3-5 different tutorials and they didn’t give me a clear understanding about the members of part. I had it wrong all along! I had assumed that when i created a Administrators Restriction Group, it was using the administrators built-in. So I added the global group “localadmins” inside the members of section, which from your tutorial, it should have been the other way around!! I should have created a localadmins restriction group and then add administrators to the member of. THANK YOU!!!

  116. florian on August 4th, 2011

    The difference mainly is the method and the CSE by how this is done. The end result is the same –bottom line.

  117. Mark Wilkinson on April 11th, 2012

    Beautifully explained. It solved a problem that has been dogging me for weeks. Why can’t Microsoft be as concise?

  118. Farhad on April 15th, 2012

    this is a gr8 post. its really helpful to me.
    Thanks

  119. phunktional on January 8th, 2013

    It’s 2013 and your well explained post is still putting smiles on peoples faces. Kudos to you! I got my 2 thumbs up on your behalf!

  120. Marco on February 7th, 2013

    Very nice explanation, I have been using restricted groups to acheive this for years and I had no idea that this is how it worked. Since I always added members to the group it always replaced the local admin groups. I assumed this was how it worked, only replace. Having found this, I can now add groups which is a relief.

    2013 and this is new information for many!

  121. Maj on March 21st, 2013

    this explanation is much better than the Self Paced MS Training Kit books

    ~Thanks for the clarity

  122. Nathanael Mole on September 29th, 2013

    I appreciate, result in I discovered exactly what I used to be looking for. You’ve ended my 4 day long hunt! God Bless you man. Have a great day. Bye