Nichewares & Consulting, LLC

Three methods have been found that accomplish this task. Method 3 is the method of choice in our domain environment.

Method 1

Use the Restricted Groups portion of a GPO to specify which groups/users are a member of a particular local machine group. For instance, in a GPO under

Computer Configuration>Windows Settings>Security Settings>Restricted Groups,

Add the local machine’s Administrator group (e.g. from MY-COMPUTER, add the Administrators group). Then make domain groups a member of this Administrator’s group (e.g. Set Domain Admins and Tech Coach Test as members of this Administrators group).

All that’s left is to make sure to apply this GPO to objects in any given container.

Method 2

This can be done in a rather straight-forward method that combines Group Policy and a Startup script (NOT a logon script).

The key to the success of this process depends upon the fact that the Machine’s domain account is a member of Domain Admins. Thus, when the machine starts up and runs the script, it’s membership in the Domain Admins group allows it to successfully add a domain group to the local machine’s Administrator group. The command line that is executed to perform the addition is as follows:

C:>net localgroup Administrators /add “Domain\DomainGlobalGroup”

For instance, if I wanted to add the domain group, Tech, to every workstation’s local Administrators group, I would first make all workstations in the domain a member of Domain Admins. Then I would create a GPO that contained a login script called “DomainToLocal.bat” and apply that to all machines in the domain. The script, DomainToLocal.bat, should be placed in the Scripts directory in the Sysvol share, and this script would have the command line that follows:

Net localgroup Administrators /add “YourDomain\Tech”

Method 3

Use the Restricted Groups portion of a GPO to Add a local Administrator group and then add a domain group as a member of that local Administrator group.