Adding domain users to a local machine group using GPO

calendarOct 28, 2009 · 2 min read · Active Directory Group Policy Permissions Windows Server 2003 Windows Server 2008 Windows Server 2008 R2  ·
Share on: linkedincopy

To add domain users to a local machine group using Group Policy, we need to use the Restricted Groups feature.  For the example shown below, I’ll be using a Windows Server 2003 domain functional level.

  1. Create a new global/universal security group in Active Directory to contain the users which you wish to add to the local group on the target machines.
  2. Make the domain users you wish to add to the local group on the target machines members of this new group.
  3. Open Group Policy Editor and navigate to the OU where the target machines reside.  For example, if we have a ‘Desktops’ OU which contains the machines to which we wish to add the domain users, that is the location of the group policy we need to edit or create.
  4. If a Group Policy already exists for the OU selected, edit the Group Policy.  If there is no Group Policy for the OU selected, create a new group policy and then edit it.
  5. Within the Group Policy, navigate to Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Restricted Groups
  6. Right-click on either Restricted Groups in the left pane of the Group Policy Management Editor, or in the right pane, and select Add Group.
  7. The ‘Add Group’ window appears:
    RestrictedGroupsAddGroup
  8. Click the ‘Browse’ button to open the ‘Select Groups’ window and select the group created in step 1, above, then click OK.  Click OK on the Add group window.
  9. The Properties window for the Restricted Group appears:
    RestrictedGroupsProperties
  10. The Properties Window has two membership areas; ‘Members of this group’ and ‘This group is a member of’.  Adding users to the ‘Members of this group’ option would add domain users to the Active Directory group created in step 1, and would remove any members of that group already there. As we added the required users to the group created in step 2, we shouldn’t need to use this option. Adding group names to the ‘This group is a member of’ option adds the security group and its members to the group(s) specified.
  11. Click Add next to the ‘This group is a member of’ option and enter the names of the local groups you wish to have the domain users added to (e.g. Administrators, Users, Performance Monitor Users etc.) and click OK.
  12. To test that the above steps have worked, log onto one of the target machines, run ‘gpupdate’ from a command prompt and check the local groups specified above for the new members.