Add Users to local admin and remote desktop group using GPO

This tutorial will show you how to use the GPO Restricted Groups to add IT support technicians into the local administrator group of all PC's the policy is applied to. Using Group Policy to add users to the local admin group is a safer and better practice than providing domain admin privileges to technicians that do not have the need or experience to be working beyond the workstation level.

1.Define Security Group

First you need to define a security group in AD users and computers. In this example I am creating a security group called IT_Tech

  1. Log onto a Domain Controller
  2. Right click Users, New->Group->Security Call it IT_Tech
  3. Add the proper members.

Create Group Policy.

Next you need to create a group policy or use the default Domain Policy (not recommended).

For this example I am creating a separate policy called "Local Administrators"

  1. Open Group Policy Management Console
  2. Right click your domain or OU.
  3. Click Create a GPO in this domain, and link it here.
  4. Call it "Local Administrators"
  5. You should see the policy in the tree now.

3. Edit the policy to contain the IT_Tech group

Here you will add the IT_Tech group to the local administrators policy and put them in the groups you wish them to use.

  1. Right click "Local Administrators" Policy.
  2. Expand Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups
  3. In the Right pane of Restricted Groups, Right click and hit "Add Group..."
  4. Type IT_Tech and hit 'OK"
  5. Click Add under "This group is a member of:"
  6. Add the "Administrators" Group.
  7. Add "Remote Desktop Users"
  8. OK

***You can use this method to add users to other groups as well***

4. Test

Log on to a PC and type gpupdate /force then check the local administrators group. You should see IT_Tech in the group now.


I can be reached for comments, questions or ideas on twitter @Try2StopUs

Try2Stop.Us | Contact Us | Log In | Try2Stop.Us © 2011