Adding a domain group to a local group on all workstations

In many cases you may wish to add a user or group to a local group on all workstations in a domain. A common example of this is to add a certain user or group to the local Administrators group on all computers. The easiest way to do this is through Group Policy using the Restricted Groups option, however the exact way to configure the policy is not very intuitive. An incorrectly configured Group Policy can result in the existing group ownership being overwritten instead of simply adding the new member.

Perform the following steps:

  1. If you wish to add one or more users to local groups on a workstation, begin by creating a global group containing the user(s), or select an existing group. (This is a good security practice regardless of what you are doing.)
  2. If the local group does not exist on the workstation or server from which you will be editing the GPO (e.g. if it is a custom, not a built-in group), you will need to create it. If desired, it can be deleted once you are finished.
  3. Open the Group Policy Object editor selecting a policy which applies to all workstations to be updated (e.g. Default Domain Policy) and perform the following steps:
  4. Browse to Computer Configuration -> Windows Settings -> Security Settings -> Restricted Groups.
  5. Right-click and choose Add Group... In the dialog box that opens enter the name of the global group from step 1.
  6. Another dialog box will open with sections labeled "Members of this group" and "This group is a member of." Add the local group in the bottom section ("This group is a member of") and leave the top section blank/greyed-out.
  7. Click OK and close the editor.
  8. Apply the policy to your workstations by using gpupdate, rebooting, or simply waiting until the next automatic Group Policy update.
  9. Verify the local group membership has changed.

As an added bonus, using the above GPO method will ensure that the global group remains a member of the local group by Restricting its membership to always include the local group. (As with many settings with Group Policies, this is counter-intuitive.) If it is removed by another local Administrator, it will be automatically re-added on the next group policy update.

At first it may appear more logical to enter the local group in step 5. It would follow that you would then add the Global Group as a "Member of this group" in step 6. However, by doing this you will overwrite the existing local group membership, replacing it with only the Global Group. This would have the effect of Restricting membership in the group, ensuring that members cannot be added or removed from the local group.

Another method of accomplishing (almost) the same thing is to run the following command:

net localgroup local_group_name new_member_name /ADD

However, doing it this way does not offer the same resiliency as the GPO method (a local Admin could permanently remove the new member) and requires that the running party has rights to add members to groups -- which makes it an ineffective method for adding groups to the local Administrators group.

Author: ASAK
Created: Apr 17 2006 (last modified Apr 18 2006)
Categories: Windows 2000 Server - Windows 2003 Server
TechByte #133

Warning: By visiting this site and/or by using any information contained herein, you agree to the Techbytes.ca terms of use.



Add a comment about this TechByte

If you wish to add a comment regarding this TechByte, please use the form below. Please note that by submitting comments using this form you are allowing all of the information submitted to be visible on this website. Any comments submitted using this form will only be shown on the website if they are approved by the administrators of this site. IF APPROVED, COMMENTS MAY TAKE SEVERAL DAYS TO BE POSTED.

Posted By: (Optional)

Comments:


Other TechBytes: