Adding a Global Group to the Local Administrators Group

In my Enterprise Random Password Manager review, I mentioned that the Deferred Processor required local Administrator permission to change local passwords and/or restart NT Services. In the review, I chose to use the domain administrator account because it’s automatically added to the local Administrator group when the machine is added to the domain. However, using this all-powerful account probably isn’t the best idea in a production environment. In fact, the domain administrator account shouldn’t be used at all on a day-to-day basis; IT personnel should have separate administrator accounts that have been delegated the proper authority in Active Directory (AD), and the domain administrator account password should be locked away for safe keeping.

To grant the Deferred Processor (or any other service or user) local Administrator rights to a PC or server, you need to complete the following three steps:
1. Create a global group in the domain.
2. Add the global group to the local Administrator group on the machine.
3. Add the user that you want to give local Administrator rights to the global group.

Once you’ve completed these steps, the setup should look similar to Figure A. Completing these steps takes only a few minutes on one or two computers, but can be a nightmare if you have hundreds or thousands of machines. So how can you add a global group to a local Administrators group on multiple machines without visiting each PC? Let’s take a look at two methods for adding a global group to a local group in such environments.

Method 1: Using a Script
You can use a simple logon or machine startup script similar to the following command to add a global group to a local Administrator group:

net Localgroup Administrators "Domain\Deferred Processor" /add

Note that you must place quotes around names that have spaces in them.

Method 2: Using the Restricted Groups Policy
There’s a Group Policy, called Restricted Groups, that provides a more elegant method for adding a global group to a local group. The Restricted Groups policy’s name doesn’t describe it very well. Even the Microsoft article at support.microsoft.com/kb/279301 doesn’t quite provide the whole story about Restricted Groups. Let’s look at how you can use Restricted Groups to add a global group to a local group.

You can find this Group Policy under Computer Configuration/Windows Settings/Security Settings/Restricted Groups. Once you’ve navigated to the Group Policy Object (GPO), right-click it and choose Add Group from the context menu. Next, enter the name of the local group on the machine to which you want to add global groups. For our example, you’ll want to add to the local Administrators group. A new window will pop up that lets you add domain users or groups to the local group, which you can do by clicking Add in the Members of this Group section. I recommend referring to Figure A to keep the process straight as to which group goes where.

Be sure to note which groups are already in the local group that you’re modifying because implementing the Restricted Groups policy will remove all groups and users from the list on the local machine. For example, the Domain Administrators global group is automatically added to the Local Administrators group when a machine is added to the domain. If you forget to add domain administrators to the Restricted Groups policy, domain administrators will be removed from the local Administrators group. At this time, I don’t know of a way to force the GPO to append additional users and groups to the original list; it’s strictly a replace operation. The next time that Group Policy is refreshed on the machine or the machine is rebooted, the list of users and groups in the local Administrators group will be replaced by the list in the Restricted Groups policy.