GPO, Add Group to the Administrators Group

Adding a Global Group to the Local Administrators Group

Using the Restricted Groups Policy  2008 Server

There’s a Group Policy, called Restricted Groups, that provides a more elegant method for adding a global group to a local group. The Restricted Groups policy’s name doesn’t describe it very well. Even the Microsoft article at doesn’t.

You can find this policy by right clicking the GPO you want to add it to and clicking edit, then under Computer Configuration/Windows Settings/Security Settings/Restricted Groups. Once you’ve navigated to the Group Policy Object (GPO), right-click it and choose Add Group from the context menu. Next, enter the name of the local group on the machine to which you want to add global groups. For our example, you want to add to the local Administrators group. A new window will pop up that lets you add domain users or groups to the local group, which you can do by clicking Add in the Members of this Group section.

IMPORTANT:  Be sure to note which groups are already in the local group that you’re modifying because implementing the Restricted Groups policy will remove all groups and users from the list on the local machine. For example, the Domain Administrators global group is automatically added to the Local Administrators group when a machine is added to the domain. If you forget to add domain administrators to the Restricted Groups policy, domain administrators will be removed from the local Administrators group. At this time, I don’t know of a way to force the GPO to append additional users and groups to the original list; it’s strictly a replace operation. The next time that Group Policy is refreshed on the machine or the machine is rebooted, the list of users and groups in the local Administrators group will be replaced by the list in the Restricted Groups policy.


Be the first to comment

Leave a Reply