Adding users to local security groups using Group Policy

Thursday, February 3, 2011
You may find that you need to add users to one or more local groups, such as Power Users or Administrators, on their computer.  While you can do this fairly easily on a case by case basis, it's a lot more difficult to do in a large distributed environment.  This can be accomplished much easier using the Restricted Groups GPO setting in Group Policy.

The Restricted Group setting allows you to configure membership in groups within Active Directory or in the local security accounts manager (SAM) of domain-joined computers. 

In this example, we will add all domain users to the local computers' Power Users group for all computers in the domain.
Note: Be aware that this method will replace the membership of the group you are configuring, it does not merge this membership with any members who currently exist in the local group.
  • Open the Group Policy Management Console
  • Edit the Default Domain Policy
  • Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
  • Right-click Restricted Groups and select Add Group...
  • The trick to adding a local group is to just type in the group name.  Do not browse to find the Power Users group, because this will resolve to the domain's Power Users group.  Type Power Users, as shown below, and click OK.
  • Another window will pop-up to let you configure the properties of the Power Users Restricted Group.  For Members of this group, click Add.
  • Click the Browse button and browse for the group in Active Directory that you want to add to the local Power Users group.  In this example, use Domain Users and click OK, as shown below.
  • Close the GPO Editor and the Group Policy Management Console
Wait a sufficient amount of time to allow the GPO to replicate throughout all the domain controllers in the domain, then restart the computers where the policy applies.  This is required because the GPO affects the Computer Policy which applies when the computer starts up.

When the policy is processed, the computer will attempt to resolve the Power Users name that you typed to a local group first, then a domain group if no local match is found.

You can do the same process above for any other OU to scope the GPO to a specific set of computers.  If you want to add users to the local Administrators group, simply type that name instead of Power Users.
by at
Tags , , ,

4 comments:

  1. yacoobFebruary 4, 2011 at 11:07 AM

    Hi!
    Great post, but I think it might be important to add that using this option You clean the group You chose in the first step ('Power Users') and then add the group You chose in the second step ('domain\domain users').
    Using other approach - choosing the 'domain users' group in the first step and then by the other 'This group is member of' option picking 'Power users' You actually ADD 'domain users' to 'Power users 'group without cleaning 'Power users' in the first place.

    yacoob

    ReplyDelete
  2. Nate StrechApril 27, 2011 at 8:30 AM

    Is there any way to REMOVE users from local security groups using a method similar to this?

    Thanks,
    Nate

    ReplyDelete
  3. AnonymousDecember 7, 2011 at 8:05 AM

    yacoob is correct:

    Adding a user/group to a local security group:
    1. Select Add Group... [domain]\Domain Users
    2. From 'This group is member of:' select Add... Power Users (technically BUILTIN\Power Users, but either will work)

    Result: The local Power Users group will have [domain]\Domain Users added to the currently existing entries.

    Forcing local security group membership:
    1. Select Add Group... Power Users or BUILTIN\Power Users
    2. From 'Members of this group:' select Add... [domain]\Domain Users

    Result: The local Power Users group will only have [domain]\Domain Users as a member. All other existing entries will be removed.

    In the same vein:
    If you left the 'Members of this group:' and 'This group is member of:' empty for Power Users, then the Power Users group would be cleared out entirely.

    ReplyDelete
  4. AnonymousJune 14, 2012 at 6:04 AM

    Just what I was looking for! THANKS!! DS

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.

Subscribe to: Post Comments (Atom)