( - or: How can I add [Active Directory] user accounts into some? clients’ local Administrators group without touching each client?)
This article describes the feature “Restricted Groups” in Group Policy. This feature enables you - as the administrator - to configure group memberships on the client computers or member servers. You can add user accounts to groups on client machines that are in the scope of the policy.
As there are many questions about this in the newsgroups, I will come up with an example that shows how to put a group of Active Directory users into the local Administrators group on the clients.
For this article, I assume that you already created a global security group containing all users that shall become local Administrators on some client computers. In my example, the group is called “localAdmins”. The target (= client) computers reside in a specific OU.
If you’re using the Group Policy Editor, you navigate to the OU where the client computers reside and right-click it. Choose “Properties” and “Group Policy” where you create a new Policy and click “Edit”. You then navigate to:
CompConf\Windows Settings\Security Settings\ and then right-click “Restricted Groups” and choose “Add Group”.
You simply add the created group by clicking “Browse..” or typing the group name into the box.
After clicking “OK”, another beautiful window opens up, where you can find two boxes. The upper box, saying “Members of this group”, the lower one saying “This group is a member of”.
If you added users or groups into the “Members of this group” box, you would advise the Restricted Groups feature to put the users and groups you selected into the localAdmins group. Restricted Groups would then replace the current members of the localAdmins group with the users and groups you filled into the box. Please recognize my words, it would replace them - just wipe existing users out of the localAdmins group.
As we do not want to add users or other groups to our group, but add our localAdmins group the local Administrators group on our clients, we have a look at the lower box - labeled “This group is member of”. We click “Add” and type in the name of the group, we want localAdmins to be member of. In this case, it “Administrators”. We then simply click “OK” and “Apply” and close all windows. “This group is member of” advices “Restricted Groups” to add our localAdmins group into the “Administrators” group of the clients. The existing group members will not be touched - it simply adds our group.