Once and for all, without having to buy additional tools or make a script.

This process invovles making use of Restricted Groups but if not followed correctly it will remove all other users and groups from the local admin group on the applied computers.  Please make sure you follow the directions.

Using restricted groups, Edit GPO Computer Configuration Windows Settings Security Settings Restricted Groups;

Right click and select add group,

specify the Domain Admin group by typing or using the Browse button.

Click OK, this will open the Configure Membership properties sheet,

in the bottom portion “This group is a member of:” click Add, specify Administrators, and then click OK.

Click OK on the properties sheet, and then link your GPO, in the cmd prompt type gpupdate /force.

And then test it.

This info was contributed by David A. Norsen

Regards,

Anthony

Anthony Clendenen | Senior Technical Consultant | Microsoft Practices | Dimension Data

“Dimension Data is Microsoft’s 2006 Global Advanced Infrastructure Technology Innovation

Partner of the Year… for the Dynamic Desktop Deployment Solution”

Tags: Group Policy