Q

Can I append Domain Groups to the local 'Admin' Group of Domain Computers without affecting the exis

Expert Jeremy Moskowitz explains what an admin would need to do to append Domain Groups to the local 'Admin' Group of Domain Computers without affecting the existing members.

Is there a way to append Domain Groups to the local "Administrators" Group of Domain Computers using a GPO, WITHOUT affecting the existing members of the aforementioned group?

I know that one can use "Restricted Groups" for that purpose, but this will also mean that any members inside the local "Administrators" Group will be deleted and I don't want that to happen.

There's no direct way to do this with Group Policy, as you rightly say the "Restricted Groups" is a wipe-and-replace operation, not incremental.

One way would be to use a script to do it, although that would need to run in a context with sufficient permissions, so either using an existing user account that already has local admin rights, or as a machine startup script. The relevant command to go into a script would be:

net localgroup administrators <YourDomain><SomeGroup> /add
This was first published in September 2006

Dig deeper on Microsoft Active Directory Design and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close