Adding users (AD or otherwise) to the local administrators group on multiple computers is simple using Group Policy. Difficult otherwise. That’s because this group is commonly known as a “Restricted Group”. When you configure a Restricted Group policy, members of the restricted group that are not on the Members list are removed. Users who are on the Members list who are not currently a member of the restricted group are added. In this post I’ll describe the process to add a member to the restricted group policy.
For this example, I’ve decided that I will simply create a group, that I can add/remove users from, and I will add that group to the Restricted Group Policy.
- Create a Global Security Group, and name it appropriately.
- Create / Add your user/s to this newly created group.
- Open Group Policy Manager and Create a new group policy object (GPO) and link it to an Organizational Unit (OU).
- Open the GPO and navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups.
- Right click and choose Add Group. Enter the name of the Active Directory security group you want to add to the local administrators group. Click “Ok” and on the next screen in the “This group is a member of:” section select “Add”. Enter Administrators to add the group to the local administrators group. Select OK and close the GPO to save changes. NOTE – This process is additive and users and groups that are currently in the local administrators group are unmodified.
You can add additional users to the domain group and they will automatically be part of the local administrators group on servers that apply the GPO.
If you want to simply add users to the local administrators group enter Administrators. In the next window under “Members of this group:” click Add and choose the users to add to the local administrators group.
NOTE – Any users that are currently in the local administrators group will be removed and replaced with the users you select here. If that is what you want click OK and close the GPO.
- Navigate to your test server, opened an administrative command prompt and type
MS DOS1gpupdate /force
- If you now navigate to the local groups on the server, you should see that your “Local Admins” group is now in the local “Administrators” Group.
Technet: Restricted Groups Policy Settings: http://technet.microsoft.com/en-us/library/cc756802%28v=ws.10%29.aspx
Technet: Restricted Groups: http://technet.microsoft.com/en-us/library/cc957640.aspx